|
Java Earning Its Wings
Aonix Makes Real Time Almost Safety Critical (Bryon Moyer)
It happened just like that. In the middle of a conversation, he got a kind of misty look in his eyes, like something wasn’t quite right. His breathing became more labored, he hunched forward a bit, and the next thing you knew, he was in full heart attack mode. An ambulance was quickly called for; this is where seconds count. As the ambulance was en route, efforts were made to clear the way for the EMTs so that they could get to work as quickly as possible. The main door was propped open, and an attempt was made to reserve the spot in front for the ambulance. But just as the ambulance was getting close, a garbage truck came by and blocked access. The garbage men casually jumped down from the truck and started collecting the garbage. Attempts to get them to back off even for a moment were in vain; they were scheduled to collect the garbage, and by George, that’s what they were gonna do. The ambulance would just have to wait.
And this is why standard old off-the-shelf Java isn’t used in real-time or safety-critical applications. While its more restrictive design, as compared to C or C++, actually helps system reliability in many respects, reducing the chances for system failure, it’s got a few unpredictable, non-deterministic characteristics that just won’t fly. Literally.
There are, broadly speaking, three levels of criticality for system operation. Most software we overtly use is at the least critical level, as is evident each time we try to access a website and the request just doesn’t go through; no explanations, no apologies. Or each time our computer crashes for no good reason. (OK, purists might say there’s never a good reason for a computer to crash… I could be persuaded…). Way down deep under the hood, the operating system is managing events the best it can (a relative concept), and things happen when they happen, for better or for worse.
The next level of criticality is real-time: it matters when things occur. Here events have to happen at a specific time or with a specific delay or latency. This requires more discipline on the part of the OS. While we hardly ever deal with this kind of system directly, we might do so through the use of systems with embedded processors employing a real-time operating system (RTOS).
The last level of criticality is called safety-critical. This is for systems whose failure could endanger lives. Things simply must never go wrong; everything must be thought through, every nook and cranny of the software must be statically testable, and code must be traceable from source all the way to object code.
You might say that at the lowest level, nothing (much) is at stake; at the real-time level, important system functionality is at stake, and at the safety-critical level, lives are at stake.
So you might well imagine that standard vanilla Java – the software, not some fru-fru wannabe coffee drink – will have some trouble with both real-time and safety-critical applications. When it comes to deterministic behavior, garbage collection (GC) is generally exhibit A in The Impassive People In Black Suits vs. The Java Developers In Cutoffs. Because its onset can’t be predicted and may not be the same from run to run, it can’t be used for real-time operation.
And for traceability, well, things are even worse. The standard Java environment compiles source code to byte code and then executes the byte code on a Virtual Machine (VM). During execution, classes can be loaded dynamically – and through the use of agents, those classes can even be instrumented in real time, completely changing the behavior of the program. This absolutely runs afoul of the traceability requirements that say that every step of the reduction of code from source to object must be traceable. In fact, with standard Java, that reduction process doesn’t complete until run time, and it is done entirely out of the control of the program developer -- not the kind of thing that would give you a warm fuzzy feeling if your life depended on it.
[more]
|
