Injecting Hypervisor-based Software Partitions into Design Space Exploration Activities considering Mixed-Criticality Requirements

Vittoriano Muttillo  
Center of Excellence DEWS  
University of L’Aquila  
L’Aquila, Italy  
vittoriano.muttillo@graduate.univaq.it

Giacomo Valente  
Center of Excellence DEWS  
University of L’Aquila  
L’Aquila, Italy  
giacomo.valente@univaq.it

Abstract—This work faces the role of HW/SW Design Space Exploration for heterogeneous parallel embedded systems subject to mixed-criticality requirements, extended to consider also hypervisor technologies. In particular, it presents an evolutionary approach integrated into a reference Electronic System-Level HW/SW Co-Design flow able to consider and evaluate design alternatives while exploiting also Hypervisor-based SW partitions. Finally, some experimental results show the effectiveness of the proposed approach.

Index Terms—HW/SW Co-Design, Heterogeneous Parallel Embedded Systems, Design Space Exploration, Mixed-Criticality Systems, Hypervisor technologies

I. INTRODUCTION

In recent years, there has been a growing trend in exploiting (heterogeneous) multi-processor/core (i.e. parallel) platforms to execute embedded applications with different levels of criticality (i.e. Mixed-Criticality Embedded Systems, MCES). However, allowing these applications to safely coexist and possibly interact on the same platform becomes a very complex task that poses several challenges from the implementation point of view [1]. In fact, embedded applications with different criticality levels can be allocated on different dedicated HW components or on different software partitions hosted on one or more shared HW components. The complexity of identifying the best architecture and mapping, especially when considering heterogeneous scenarios, is so high that heuristics Design Space Exploration (DSE) approaches are needed to help designers to identify a solution able to satisfy the requirements.

In such a context, the purpose of this work is to present a design space exploration step, integrated into an Electronic System-Level (ESL) HW/SW Co-Design framework, to support the development of heterogeneous parallel MCES, extended to consider also Hypervisor (HPV) technologies [2] and related software partitions concept. The remainder of the paper is organized as follows: Section II presents related works that consider mixed-critical requirements into the whole design flow. Section III describes the adopted design flow, while Section IV presents the main features of the proposed DSE approach. Then, Section V analyzes experimental results. Finally, Section VI closes the paper with some conclusions and future works description.

II. DESIGN SPACE EXPLORATION FOR SAFETY CRITICAL APPLICATIONS

In the last few years, a growing trend in the embedded systems domain is to run multiple embedded applications with different levels of criticality on a shared hardware platform, where the criticality of an application is an indication of the required level of “assurance” both from safety and security points of view. In such a context, the most critical development steps are related to the System Specification and the Design Space Exploration activities [3] and the main differences among the various works in the literature are mainly related to the different amount of information and actions that explicitly rely on the designer experience. For example, AUTOFOCUS3 [4] proposes a model-based development process at different levels of abstraction introducing safety-oriented constraints associated to computing components. The tool assigns the levels of criticality to application tasks and computing resources, avoiding the allocation of high-criticality tasks to low-criticality resources. CONTREP (CONTREX Eclipse plug-in, [5]) is a framework supporting UML/MARTE based modeling, analysis and design of mixed-criticality embedded systems. It is based on the CONTREX UML/MARTE modeling methodology [6] and considers safety constraints into the different design activities, integrating external tool like Multicube Explorer [7] for the DSE step. Finally, DeSyDe [8] provides a DSE tool for bare-metal applications, finding implementations for a set of tasks on a shared multi-processor platform starting from synchronous dataflow graphs (SDFGs), introducing MC requirement at scheduling level.

Considering the “software partition” concept, the work in [2] presents a state-of-the-art respect to HPV technologies into the embedded safety-critical system domain. A lot of HPVs have been developed to check and match certification requirements, avoiding interferences between partitions/tasks into a self-contained environment. In particular, PikeOS [9] provides a real-time operating system able to manage paravirtualization services, XtratuM [10] is a bare metal hypervisor.
for paravirtualization and OKL4 Microvisor [11], developed by General Dynamics C4 Systems (formerly Open Kernel Labs), implements an advanced secure type-1 hypervisor, realizing a high performance Inter-Process Communication (IPC) message exchange mechanism.

In this context, this work proposes a DSE approach that is able to consider mixed-criticality issues into the development of heterogeneous parallel MCES, also exploiting HPV technologies. The main differences among the proposed approach and the previous works are related to the introduction of HPV software partitions (and virtualized environment) that allows to find cheaper (in terms of area/chip cost) and faster solutions (in term of timing, communication and concurrency performance), increasing the space of feasible final implementations. It is worth noting that none of the previous tools consider HPV solution in the design space step. A work that considers HPV methodology to identify a set of partitions, and that allocates applications to partitions is [12], but it considers fixed HW components and multi-core architecture, and it does not rely on DSE and direct (bare-metal) HW implementation, considering only HPV scenarios and not an hybrid environment and solutions involving also, for example, FPGA, DSP and so on. So, at the best of our knowledge, there are few works that introduce mixed-criticality issues directly into a HW/SW co-design flow, and there is a lack with respect the inclusion of software HPV into the whole design flow considering HW/SW Co-Design methodologies (in order to find the best sub-optimal solution in an early design stage).

III. HW/SW Co-Design Framework

In the context of MCES, this work adopts a specific Electronic System-Level HW/SW co-design flow (HEPSY-CODE: HW/SW Co-Design of Heterogeneous Parallel Dedicated Systems) [13], as shown in Fig. 1, based on an existing Methodology [14] (Fig. 1), while introducing Mixed Criticality (MC) requirements. The System Description step defines three reference models: Application, Partition, and Platform.

The Application Model exploits a behavioral modeling language, named HML (HEPSY Modeling Language) [15], based on CSP MoC [16]. By means of HML it is possible to specify the System Behavior Model (SBM), an executable model of the system behavior, a set of Non-Functional Constraints (NFCs) and a set of Reference Inputs (RIs) to be used for simulation-based activities. NFCs are composed of Timing Constraints (TCs), Architectural Constraints (ACs) and Scheduling Directives (SDs). In this work, the TC expressed by the designer is the Time-to-Completion (TTC) one. It is the time available to complete the SBM execution from the first input trigger to the complete output generation. ACs are related to the Target Form Factor (TFF) as System On-chip (SoC: ASIC or FPGA) or System On-Board (SoB: PCB) and to the Target Template Architecture (TTA) depending on the available Basic Blocks (BBs). Finally, SDs specify the available scheduling policies.

The partition model represents the HPV software partitions layer where, currently, only GPP are able to manage and exploit virtualization technologies (in future also ASP processors could be considered).

The Platform model defines the basic HW components available to build the final HW architecture. The target HW architecture is composed of different basic HW components. These components are collected into a Technologies Library (TL). TL can be considered as a generic "database" that provides the characterization of the available technologies. TL is composed by a set of Processing Units (PU), a set of Memory Units (MU) and a set of Interconnection Links (IL). However, the detailed characterizations depend from TFF. The main differences are related to the different attributes needed to characterize PU, MU, and IL. This work considers only TL for SOB where each PU that executes SW shall be a discrete Commercial Off-The-Shelf (COTS) Integrated Circuit (IC) mounted on a board [17].

The designer uses such components to build a set of Basic Blocks (BB) available during DSE step to automatically define the HW architecture. A generic BB is composed of a set of PU, a set of MU and a Communication Unit (CU). CU represents the set of IL that can be managed by a BB. BB internal architecture is dependent on TFF and TTA. The target HW architecture can be seen as a set of BB elements interconnected by means of one or more IL elements. The type of available BB is automatically defined by the selected TTA. This work focuses on Heterogeneous Multi-Processor System with Distributed Memory where each BB element is composed of only 1 PU element (possibly heterogeneous among BB elements), some local MU elements and 1 CU element. It is worth noting that the reference methodology is able to consider other TTA [18], but the current prototypical tools fully support only the one listed above.

The Metrics Evaluation and Estimation activities provide several metrics related to the BB involved in the design flow. This step aims at extracting as much as possible information about the system by analyzing the (Application Model) while considering the available BB (Platform Model)

![Fig. 1. HW/SW Co-Design Flow.](image-url)
and the use of Hypervisor technologies (Partition Model). This step is supported by Co-Analysis and Co-Estimation activities to evaluate/estimate several metrics related to the BB involved in the design flow. Co-Analysis performs evaluation of Affinity [19], Concurrency and Communication metrics [17]. Co-Estimation performs a Static Estimation of Size, and a Dynamic Estimation of Load [17].

After these steps, the reference co-design flow reaches the DSE one. Starting from Application Model, Partition Model, Platform Model and HW/SW Partitioning And Mapping (PAM) parameters associated to the evolutionary algorithm, it includes two iterative activities: “Search Methods”, that provides HW/SW partitioning, mapping and architecture definition using a genetic algorithm that allows to explore the design space looking for feasible mapping/architecture items suitable to satisfy imposed constraints; “Timing Co-Simulation”, that considers suggested mapping/architecture items to actually check for timing constraints satisfaction (Fig. 1).

IV. MIXED-CRITICALITY EVOLUTIONARY APPROACH

The proposed DSE is based on a Genetic Algorithm (GA) used to optimize a multi-objective cost function that quantifies the quality of each individual of the GA population. In this context, the instance of an individual is defined as a matrix where the column index represents processes and the values represents BB instances and software partition elements, indicated as PT (if a BB contains GPP-type processors, 0 otherwise), as shown in Fig. 2.

The first metric considered is the Affinity Index, that provides a quantification of the matching among the features of the functionality implemented by a process and the architectural features of each one of the following processor types: GPP, DSP, SPP. The higher the Affinity element value, the more suitable the corresponding processor type. The second metric is the Process Concurrency Index that provides information about how much processes pairs can be potentially concurrently “working”. The third metric is the Process Communication Index that is expressed by the number of bits sent/received over each channel. Finally, the metric specifically introduced in [20] [21] and extended in this paper to consider software partition is the Criticality Index, related to the criticality level associated to each process. In particular, defined the array $\text{CRIT} = \{c_{r1}, c_{r2}, \ldots, c_{rj}, \ldots, c_{rn}\} : c_{rj}$ is the integrity level associated to process $ps_j$, it is possible to define the Criticality Index as:

$$X_{\text{CRIT}} = \begin{cases} 1 & \text{if } c_{rj} > 0 \land ps_i \in \text{bb}_x \land ps_j \in \text{bb}_y \land \text{bb}_x \land \text{bb}_y \\ 0 & \text{otherwise} \end{cases}$$ (1)

The goal behind this metric is to avoid having processes with different criticality levels on the same (shared) processor/core resource, using HPV technologies to fulfill MC requirements. The introduction of SW partition concept decreases the minimum cost with respect to no-partition scenario, because it is possible to use a number of BBs instances less than the number of criticality levels, increasing the number of feasible design solutions with respect to criticality requirements.

V. VALIDATION

This section presents some results related to the DSE step. Table I shows the parameters setting. Considering AC, the maximum number of instances for each BB is 2, the maximum number of instances of BB considered into the DSE is equal to the number of processes (8) and BBs are supposed to communicate by means of a shared bus.

<table>
<thead>
<tr>
<th>Parameters</th>
<th>Nr.</th>
<th>Values</th>
</tr>
</thead>
<tbody>
<tr>
<td>BBs</td>
<td>≤10</td>
<td>2 8051, 2 DSPIC, 2 LEON3, 2 Spartan3AN, 2 Virtex-7</td>
</tr>
<tr>
<td>SW Partition</td>
<td>≤4</td>
<td>HPV Partition</td>
</tr>
<tr>
<td>GA Selection</td>
<td>1</td>
<td>Random</td>
</tr>
<tr>
<td>GA Crossover (C)</td>
<td>1</td>
<td>One-Point</td>
</tr>
<tr>
<td>C probability (pc)</td>
<td>0.3</td>
<td></td>
</tr>
<tr>
<td>GA Mutation (M)</td>
<td>1</td>
<td>Random</td>
</tr>
<tr>
<td>M probability (pm)</td>
<td>0.1</td>
<td></td>
</tr>
<tr>
<td>Survival Selection</td>
<td>1</td>
<td>Fitness-Based</td>
</tr>
<tr>
<td>S probability (ps)</td>
<td>1</td>
<td>0.15</td>
</tr>
<tr>
<td>Search Iteration (I)</td>
<td>40</td>
<td></td>
</tr>
<tr>
<td>Initial Population Size (P)</td>
<td>100</td>
<td># Starting Individuals</td>
</tr>
<tr>
<td>Max Population Size (P)</td>
<td>≤1000</td>
<td>Max # Final Individuals</td>
</tr>
</tbody>
</table>

The Reference use case is shown in Fig. 3. The CSP model represents an application called Fir-Fir-GCD, that takes in input two values (triggered by Stimulus), makes two filtering actions (Fir8 and Fir16), makes the greatest common divisor (GCD), and then displays the results [22]. The red number
under the name of each process represents the criticality level that has been associated to processes (the value has been assigned depending on the number of communicating channels and interactions among different processes). Fig. 4 shows some results from the DSE step, and how the DSE finds feasible solutions at each iteration step of Genetic Algorithm. Considering Affinity (provided by designer), Communication and Parallelism (taken from the Co-Analysis Activities) metrics, it is possible to note that the results, without considering partitions, are higher in Communication cost with respect to the situation with partitions. This is due to the possibility to find solutions and number of basic HW components less than the number of criticality levels, and also because the introduction of SW partitions offers the opportunity to allocate multiple processes on the same (partitioned) environment, so DSE can find solutions more suitable in terms of exchanged data with respect to the Non-SW-Partitions scenario. It is also possible to note that the Pareto Points follow a specific pattern (they are grouped into sub-sets that appear independent among each others). This behaviour could encourage the use of clustering methods into the GA steps in order to find different solutions, increasing diversity into individual generation/mutation activities. Table II shows results in term of DSE execution times. From this table it is worth noting that the MC scenarios take less time with respect to the classical non-MC scenarios. This is due to the reduced number of feasible solutions considered and the reduced number of total population size. With respect to SW partition one, the normal situation seems to be worst in terms of number of feasible (possible) solution found by DSE activity ($\simeq 50\%$). In terms of communication index, the SW partition scenario seems to be better in the average situation (as shown in Fig. 4). Other analysis related to cost area, execution

![Fig. 4. Pareto Set results from the Design Space Exploration activities with respect to Affinity, Communication and Parallelism metrics. The different Pareto Points position and dispersion pattern depends on SBM application, on the number of processes/BBs/channels/criticality levels and on the specific iteration, weights values and reference inputs considered in the whole design flow.](image)

**TABLE II**

<table>
<thead>
<tr>
<th>Iteration</th>
<th>No Partition - No MC</th>
<th>No Partition - MC</th>
<th>Partition - No MC</th>
<th>Partition - MC</th>
</tr>
</thead>
<tbody>
<tr>
<td>ET$^1$ (µs)</td>
<td># Sol.$^2$</td>
<td>Com.$^3$</td>
<td>ET$^1$ (µs)</td>
<td># Sol.$^2$</td>
</tr>
<tr>
<td>Initial</td>
<td>0.17</td>
<td>-</td>
<td>0.16</td>
<td>-</td>
</tr>
<tr>
<td>1</td>
<td>8.77</td>
<td>89</td>
<td>0.9150</td>
<td>0.99</td>
</tr>
<tr>
<td>5</td>
<td>9.29</td>
<td>267</td>
<td>0.9331</td>
<td>1.73</td>
</tr>
<tr>
<td>10</td>
<td>19.8</td>
<td>941</td>
<td>0.9295</td>
<td>3.69</td>
</tr>
<tr>
<td>20</td>
<td>30.7</td>
<td>949</td>
<td>0.9317</td>
<td>6.75</td>
</tr>
<tr>
<td>40</td>
<td>56.3</td>
<td>913</td>
<td>0.9317</td>
<td>12.2</td>
</tr>
<tr>
<td>Final</td>
<td>57.9</td>
<td>-</td>
<td>13.6</td>
<td>-</td>
</tr>
</tbody>
</table>

$^1$ET: DSE Execution Time; $^2$# Sol.: Number of feasible solution (from DSE); $^3$Com.: average normalized value of the individual Communication indexes at each iteration.
time and final (close to real scenarios) validation step will be studied in future works, but, starting from this results, considering communication, parallelism and affinity metrics, the introduction of SW partition (and HPV technologies) makes possible find solutions that behave better in term of exchanged data among processes. These solutions are not suitable in term of timing constraints, but they demonstrate how the introduction of SW partitions into DSE step improves results in terms of orthogonal metrics behavior (like communication and parallelism) and increases the number of feasible solutions by providing extended design space exploration opportunities while considering MC requirements.

VI. CONCLUSION AND FUTURE WORK

This work has proposed a criticality-driven design space exploration for mixed-criticality heterogeneous parallel embedded systems, considering hypervisor technologies and SW partitions into the whole co-design flow. By introducing the criticality index into the evolutionary algorithm, the DSE is able to suggest solutions that fulfill constraints avoiding allocating applications with different levels of criticality on the same shared HW or SW resource. Results show that mixed-criticality solutions are typically less in term of number of feasible solutions with respect to a non-criticality scenario, and this work helps to partition processes into a heterogeneous parallel platform in a fast way. The introduction of SW partitions into the DSE step improves the number of feasible solutions (increasing diversity and avoiding to remain in a local minimum), and allows to find best solution in term of communication and parallelism allocation. The Pareto Set solution seems to follow some specific patterns (grouping each others at each iteration). Future works will analyze the GA behaviour, choosing and implementing different selection, mutation and crossover techniques (to increase diversity), and comparing results with other meta-heuristic algorithms (or introducing clustering and machine learning techniques in order to avoid unexpected behaviors), also considering the reduction of simulation time (to improve and realize a fast and efficient early co-design activity). Future works will also analyze cost and performance parameters to check the advantage of using SW partitions into the whole Co-Design Flow. Finally, SW partitions add more challenges into the scheduling activities in order to check and validate execution time by means of simulations (in fact, the final simulator shall be able to "emulate" the HPV scheduling policies, introducing a second level of scheduler for each SW partition, modeling as-much-as-possible the virtualized execution time, reducing simulation overheads).

ACKNOWLEDGMENT

This work has been partially supported by the ECSEL RIA 2016 MegaM@Rt2 and AQUAS projects.

REFERENCES


