Efficient and robust probabilistic guarantees for real-time tasks

Efficient and robust probabilistic guarantees for real-time tasks

The Journal of Systems and Software 85 (2012) 1147–1156 Contents lists available at SciVerse ScienceDirect The Journal of Systems and Software journ...
Download PDF
988KB Sizes 4 Downloads 51 Views
Report

The Journal of Systems and Software 85 (2012) 1147–1156

Contents lists available at SciVerse ScienceDirect

The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss

Efficient and robust probabilistic guarantees for real-time tasks Luca Abeni ∗ , Nicola Manica, Luigi Palopoli DISI – University of Trento, Via Sommarive 14, Povo, TN, Italy

a r t i c l e

i n f o

Article history: Received 11 July 2011 Received in revised form 23 December 2011 Accepted 23 December 2011 Available online 30 December 2011 Keywords: Real-time computing Stochastic analysis Soft real-time

a b s t r a c t This paper presents a new method for providing probabilistic real-time guarantees to tasks scheduled through resource reservations. Previous work on probabilistic analysis of reservation-based schedulers is extended by improving the efficiency and robustness of the probability computation. Robustness is improved by accounting for a possibly incomplete knowledge of the distribution of the computation times (which is typical in realistic applications). The proposed approach computes a conservative bound for the probability of missing deadlines, based on the knowledge of the probability distributions of the execution times and of the inter-arrival times of the tasks. In this paper, such a bound is computed in realistic situations, comparing it with simulative results and with the exact computation of deadline miss probabilities (without pessimistic bounds). Finally, the impact of the incomplete knowledge of the execution times distribution is evaluated. © 2011 Elsevier Inc. All rights reserved.

1. Introduction An unmistakable trend in embedded systems is the growth of soft real-time computing. A soft real-time application is one for which deadlines can occasionally be missed, but the probability of this event has to be controllable and predictable. Obvious applications for soft real-time systems can be found in the realm of signal processing, multimedia streaming, or even in control applications. In signal processing, the extraction of features from images can be done using an anytime approach, which produces varying levels of accuracy depending on the time allocated to the application. Audio/video streaming is another classical example of soft-real time: if we stream a movie at 25 frames/s, an occasional loss of a frame is not even perceived by the average user, as far as the anomaly is kept in check. Other unsuspected applications of the soft real-time paradigm have been found in real-time control. Empirical experiences (Palopoli et al., 2000) and recent theoretical findings (Fontanelli et al., 2010) reveal that a moderate occurrence of deadline misses can be easily traded for a more aggressive choice of the task parameters (e.g., shorter activation periods). The gradual but steady change of the application landscape toward soft real-time computing already triggered the development of new analysis methods and scheduling solutions. For example, the traditional notion of deadline has been extended and generalised by the notion of probabilistic deadline (Abeni and Buttazzo, 1999): a constraint represented by a probabilistic

∗ Corresponding Author. E-mail addresses: [email protected] (L. Abeni), [email protected] (N. Manica), [email protected] (L. Palopoli). 0164-1212/$ – see front matter © 2011 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2011.12.042

deadline is expressed in the form (ı, P), meaning that a time limit ı is chosen for each activation of the task that has to be respected with probability P. The adoption of this paradigm requires the development of analytical techniques allowing one to compute P based on the task’s parameters and on the scheduling parameters. Examples of a similar analysis have been presented in the past (both for fixed priority Tia et al., 1995; Gardner and Liu, 1999; Cucu and Tovar, 2006 and for dynamic priority Diaz et al., 2002, 2004; Kim et al., 2005; Kaczynskit et al., 2007 scheduling) and have been recently extended to multiprocessor systems (Mills and Anderson, 2010). Other scheduling approaches (for example, based on Time Division Multiplexing Kang et al., 1997, on modifications of fixed priority scheduling Atlas and Bestavros, 1998, or on splitting tasks in mandatory parts and optional parts Hamann et al., 2001) have been analysed too. Real-time queueing theory (Lehoczky, 1996) also provides a way to compute the response time distributions when using various real-time scheduling algorithm, under the heavy traffic assumption (that is, when the system load is very close to 1). This assumption significantly restricts the range of applications for which this theory is applicable. The techniques based on classic fixed priority and earliest deadline first estimate the probability of missing deadlines for the task set considered as a whole: the parameters of a task can influence the termination statistics of the other tasks. This diminishes the potential interest of the method as a synthesis tool. More promising in this direction is the adoption of resource reservations algorithms (Rajkumar et al., 1998) such as the CBS (Abeni and Buttazzo, 1998): when using a reservation-based scheduler, the worst case finishing time of a task is not affected by the execution of the other tasks and the probabilistic guarantees can be provided on a per-task basis (by analysing each task in isolation) (Abeni and Buttazzo, 2001). This

1148

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

property allows one to use queueing theory to compute the probability of a deadline miss for a task scheduled through a resource reservation algorithm (Abeni and Buttazzo, 1999, 2001). In general, most of the approaches recalled above require the computation of the stationary probability distribution of the response times (or of an approximation), and only focus on mathematical equations that, when solved, provide such a distribution as a result. However, less effort is dedicated to how such equations are actually solved. As a result, when non-trivial distributions of the execution times are used, long times and large amounts of memory are required to compute the probabilistic deadlines. This issue makes probabilistic analysis unsuitable for on-line acceptance tests, which result inefficient on ordinary computing architecture and are at a serious risk of being infeasible on many embedded devices utilising low-cost CPUs and small amounts of memory. Another important limitation is that the exact knowledge of the entire distributions of the computation times and of the interarrival times of the tasks is required in order to properly estimate the deadline miss probabilities (and it is not possible to estimate the errors and approximations caused by an incomplete or inexact knowledge of the probability distributions). However, the statistics of the task activation parameters are typically collected over an extensive set of execution runs of the task. As a result, even in a long sequence of execution the worst-case condition may never occur and the experimental distribution could be incomplete. Hence, execution times higher than the measured Worst Case Execution Time (WCET) can happen with a low probability c (that can be computed by using statistical techniques). In order for an analysis methodology to be practically applicable, it has to possess a certain degree of robustness with respect to partially known distributions. As a result of the issues discussed above, in previous papers only synthetic distributions of the execution times described by a small number of values have been used, and no realistic examples have been presented. Although approximated solution techniques have been proposed to address the first issue (by decreasing the complexity of the algorithm used to compute the deadline miss probability) (Refaat and Hladik, 2010), such approaches still need the complete knowledge of the execution times distribution (including the knowledge of the WCET) and have been applied to fixed priority scheduling (so, it is not possible to analyse each task in isolation). Moreover, the time needed to compute the deadline miss probability can still be high (only a 1:2 speedup respect to the exact solution is reported, and the computation time can be as large as 2000 ms). This paper takes a different approach to overcome the limitations highlighted above, by presenting an efficient algorithm to compute a conservative bound for the probability distribution of real-time tasks scheduled through resource reservations. Such a bound can be computed even if the probability distribution of the execution times is not fully known. Moreover, the proposed algorithm is efficient enough to be useful for on-line admission tests even in embedded devices (as shown in Section 5). These two points are important improvements respect to the state of the art, making probabilistic deadlines more usable in practice.

2. Model of a reservation A real-time task  i is modelled as a stream of jobs (or instances) Ji,j . Job Ji, j arrives (becomes ready for execution) at time ri,j , and finishes at time fi,j after executing for a time ci,j . Since execution times and inter-arrival times are not assumed to be constant, they are modelled as stochastic processes assumed independent and identically distributed (i.i.d.). Therefore, the execution parameters of the task  i are fully described by the Probability Mass Functions (PMFs) of the random variables given by the samples of these processes. In this paper, such distributions will be described by Ui (c)

and Ii (t), where Ui (c) = P{ci,j = c} is the PMF of the execution times and Ii (t) = P{ri,j+1 − ri,j = t} is the PMF of the inter-arrival times. Ui (c) and Ii (t) are assumed to be mutually independent. In traditional real-time systems, jobs are characterised by a deadline di,j = ri,j + Di which is respected if fi,j ≤ di,j . This work uses the probabilistic variant of this notion, called probabilistic deadline (Abeni and Buttazzo, 1999). A probabilistic deadline (ıi , pi ) is respected if P{fi,j > ri,j + ıi } ≤ pi . A hard real-time task can be described by a (Di , 0) probabilistic deadline. In this work, each real-time task  i is scheduled through a resource reservation (Rajkumar et al., 1998) (in this case, a CPU reservation (Mercer et al., 1994)) RSV i = (Qis , Tis ). The semantics of a reservation is that  i has the possibility to execute for an amount of time Qis (named maximum budget) in every reservation period Tis .



This property is verified if Q s /Tis ≤ U lub , with Ulub depending i i on the used reservation algorithm (if the reservation algorithm is based on EDF, then Ulub = 1). Using this scheduling approach, it is possible to decouple the scheduling parameters (Qis , Tis ) from the task activation parameters (described by Ui (c) and Ii (t)). Note that the specific scheduling algorithm used to implement the reservation strategy is not important for the analysis, and the only important property is that task  i can execute for Qis time units every Tis time units. The distribution of the finishing time can be computed applying standard arguments of the queueing theory. Since such analysis is significantly simplified when the inter-arrival times are multiples of Tis , a conservative approximation of Ii (t) can be used, which ensures that the inter-arrival times are multiples of Tis . A possible definition (Abeni and Buttazzo, 2001) is Ti (z) = P{ri,j+1 − ri,j = zT si }

(1)

where the random variable z represents the inter-arrival times expressed in multiples of Tis . To qualify the notion of conservative approximation of a random variable, it is useful to introduce the following relation between random variables (Diaz et al., 2004): Definition 1. Given two random variables X and Y, X  Y if Fx (x) ≤ Fy (x) for all x (where Fx (x) = P{X ≤ x} is the Cumulative Distribution Function – CDF – of X, and Fy (y) is the CDF of Y). Since considering a shorter inter-arrival time is a conservative approximation, to be conservative Ti (z) should be defined so that FIi (x)  FTi (x). A distribution with such a property can be easily computed as (z+1)T s −1

Ti (z) =

i

Ii (t)

t=zT s i

(see the cited paper Abeni and Buttazzo, 2001, where the condition

nT s

n

T (z)). FIi (x)  FTi (x) is expressed as ∀n, t=0i Ii (t) ≤ z=0 i Summing up, the guarantees obtained by using Ti (z) are valid for the original inter-arrival times distribution Ii (t) too, and Ti (z) has inter-arrival times multiple of Tis by construction. When using reservation-based scheduling, each task can be provided with an individual guarantee (without having to consider all the other tasks in the system); hence, from now on a single task  will be considered and the i index will be dropped (to simplify the notation). In deterministic real-time analysis the WCET C = max{cj } of task j

 is assumed to be known, and even the probabilistic analysis techniques proposed up to now make the same assumption. Indeed, since U(c) is assumed to be fully known, the maximum possible / 0 is assumed known as well. In this paper, value C for which U(C) = such a constraint about the WCET knowledge is relaxed, U(c) is known up to a maximum value C and the WCET C > C can be

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

unknown. However, ∞in order to perform some analysis the probaU(c) = c to have an execution time larger bility P{c > C} = c=C+1

than C must be known. In this framework. setting c = 0 to the traditional model (with a known WCET). On the contrary, choosing c > 0 allows the designer to improve the robustness of the analysis. For example, if U(c) is estimated by running N jobs of the task and measuring their execution times, we do not have any guarantee that the worst case situation has been considered. By using statistical techniques it is possible to estimate the confidence that the actual worst case computation time is actually the one resulting from the experiments. A very rough estimation of the probability of having a new run in which the worst case exceed the one found in the first N experiment runs is 1/N. As in previous work (Abeni and Buttazzo, 2001) a stochastic process vj can be introduced to model the amount of time to be executed after the arrival of the jth job Ji,j . As shown in the cited paper, vj evolves according to the following rules:

v0 = c0 vj+1 = max{0, vj − zj Q s } + cj+1

∞ 

s

U(v − max{0, x − hQ })T (h)

=

j→∞

ing the eigenvector problem  = M. In previous work, numeric techniques are used to solve such an eigenvector problem and find the stationary probabilities. However, this computation is too expensive to be performed on-line (see Section 5). 3. Conservative bounds This section shows how to compute a conservative bound for P{fj > rj + ı} by adapting and extending some known bounds about GI/G/1 queues (Heyman and Sobel, 1982). Eq. (2) can be written as follows:

P{cj = c ∧ zj = z}

P{cj = y + zQ s ∧ zj = z} =

z=1

=

z 

z 

P{cj = y + zQ s }P{zj = z}

z=1

U(y + zQ s )T (z)

(5)

z=1

where z is the maximum value of z. The problem with the computation of this PMF is that U(c) is not known for values of the argument greater than C. Hence, it is possible to obtain a bound for this function by truncating the sum in Eq. (5) to values of z which lead to ˜ y + zQ s ≤ C. The resulting truncated version h(y) of the PMF of Y can be computed as:

˜ h(y) =

⎧ h(y) ⎪ ⎪  ⎪ ⎪ ⎨ C −y ⎪ ⎪ ⎪ ⎪ ⎩

for y ≤ y

Qs



U(y + zQ s )T (z)

for y ≤ y ≤ y

z=1

˜ is derived where y = C − Q s and y = C − zQ s . In plain words, h(y) from h(y) by padding with zeros the function U(c) in Eq. (5) for the values of the argument for which there is no knowledge. As a result, ˜ the values of h(y) for y ≤ y do not sum to 1, and the missing probabilities are accumulated in unknown values larger than y: for y > y, ∞ ˜ ˜ function h(y) h(y). is unknown, but it is possible to compute y=y+1 ˜ function has the following properties: The h()



y ˜ • for y ≤ y, P{Yj ≤ y} = h(k) k=−∞ y ˜ • for y < y ≤ y, P{Yj ≤ y} ≥ h(k)



k=−∞



y y ˜ ˜ • for y > y, h(k) h(k) ≤ P{Yj ≤ y} ≤ 1; y = 1 − is the k=−∞ k=−∞ size of the interval in which P{Yj ≤ y} (or P{Yi > y}) can range (with P{Yj ≤ y} ∈ (1 − y , 1) and P{Yi > y} ∈ (0, y )).

˜ In essence, a random variable Yj associated with the PMF h(y) is a conservative approximation for: Yj  Yj , according to Definition 1. As discussed in the next section, Yi quantifies the possible load changes on the system. A positive Yi value indicates that the system load is increasing, while negative values indicate that it is decreasing. Thereby, a conservative approximation for Yj as proposed in the previous lemma can be used to carry out a conservative analysis on the probability of respecting the deadline. 3.1. Main result

(4)

Then, a new random variable Yj = cj+1 − zj Qs can be introduced, so that

v0 = c0 vj+1 = max{cj+1 , vj + Yj } Let h(y) = P{Yj = y} represent the PMF of Yj ; since Yj is given by the linear combination of two independent variables, h(y) can be

Theorem 1. Let T ∈ N be a positive integer. If there exists a real constant  ∈ R with  > 1 such that y 

E[c] is the expected value of the execution times, and E[z] is the expected value of z.

˜  y h(y) +  T y < 1

(6)

y=−∞

then

∀ı ≤ 1

z 

Lemma 1.

which can be written as (j + 1) = M(j) where (j) is the vector of state probabilities at step j and M is a properly defined matrix. Then, if Qs /Ts > E[U(c)]/(E[T(z)]Ts )1 queueing theory says that a stationary probability vector  = lim (j) exists and can be computed by solv-



{c,z|c−zQ s =y}

(3)

h=1

v0 = c0 vj+1 = max{cj+1 , vj − zj Q s + cj+1 }.

h(y) = P{Yj = y} =

(2)

Informally speaking, Eq. (2) says that the amount of time to be executed after the arrival of the first job is equal to the job’s execution time, and the amount of time to be executed after the arrival of the jth job can be computed by summing the job’s execution time to the amount of time to be executed after serving the previous jobs. The worst-case finishing time of job Ji,j can be computed based on the value of vj , as ıj = vj /Q s T s ; hence, when the probability distribution V (v) = P{vj = v} is known, it is possible to compute the probability D(ı) = P{fi,j − ri,j ≤ ı} as P{vj /Q s T s ≤ ı}. As shown in the original paper, Eq. (2) can be used to compute the state transition probabilities P{vj+1 = v|vj = x} =

computed as follows:

1149

T Qs

⎛ T s , P{fj ≤ rj + ı} ≥ 1 − ⎝

C  c=0

⎞ U(c)

−( Tı Q s −c) s

+ c ⎠

1150

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

The constant T is the maximum value of vj , for which PMF bound is considered to be useful. This constant is expressed in amount of execution time to be executed (like vj ). Therefore, only deadlines smaller than T/Qs  Ts can be analysed. T can be chosen very large and it does not make practical sense to analyse values of vj larger than T, because they would result in deadlines missed by a very large amount.  is computed, for a given T, considering the shape ˜ (its intuitive meaning will be clarified in the of the distribution h(y) next section). Note that Theorem 1 also states that it is possible to compute a bound for P{fj ≤ rj + ı} (with ı ≤  T/Qs  Ts ) even if the values of U(c) for c > C are not known. Indeed, only the knowledge of the cumulative probability c = P{c > C} is needed. The values of the probability U(c) for specific c > C has an impact only on the computations of P{fj ≤ rj + ı} for large values of ı (ı ≤  T/Qs  Ts ). Clearly, the partial knowledge of U(c) will introduce some more pessimism in the analysis even for small values of ı, but this is accounted for in the computation of the bound, as shown in Section 5 (see Fig. 12). This means that a complete knowledge of the execution times distribution is not needed, and that probabilistic guarantees can be provided even if U(c) is not fully known. 3.2. Proof of the result

As a consequence,

P{Yj > t} +

w0 = 0 wj+1 = max{0, wj − zj Q s + cj }

∞ 

 −(t−y) h(y) =

y=−∞





y 

y 

y=t+1

y=t+1

y 

y 

 −(t−y) h(y) =

∞ 

h(y) +

 −(t−y) h(y)

y=−∞

y=t+1

 −(t−y) h(y) =

y 

h(y) +

y 

h(y) +

 −(t−y) h(y)

y=−∞

y=y+1

∞ 

h(y)(1 −  −(t−y) ) +

h(y)

y=t+1

y=t+1

y=y+1

y 

y 

∞ 

+

 −(t−y) h(y) =

y=−∞ y 

+

h(y)(1 −  −(t−y) ) +

y=t+1

˜  −(t−y) (h(y) − h(y)) +

y 

y 

y 

˜  −(t−y) h(y)

y=−∞ ∞ 

h(y)(1 −  −(t−y) ) +

y=t+1

+

h(y)

y=y+1

y=−∞

=

To prove Theorem 1 it is useful to introduce a new variable wi , representing the amount of execution time to be executed immediately before the arrival of job Jj (whereas vj represents the amount of execution time to be executed immediately after the arrival of job Jj ). By definition, the evolution of wj can be expressed as:

t 

h(y) +

y  y=y

y=y+1

˜  −(t−y) h(y) ≤≤

y=−∞

y 

˜  −(t−y) (h(y) − h(y))

h(y)(1 −  −(t−y) ) +  −(t−y)

y=t+1

+  −(t−y)

y 

h(y)

y=y+1 y 

˜ (h(y) − h(y)) +

y=y

∞ 

˜  −(t−y) h(y)

y=−∞

or, using Yj , as w0 = 0 wj+1 = max{0, wj + Yj }

=

For all jobs Jj , vj = wj + cj

Some preliminary results are needed to prove Theorem 1. The first one provides a bound for the probability P{Yj > t}, when t is smaller or equal than T. Lemma 2. Let T ∈ N be a positive integer. If there exists a real constant  ∈ R with  > 1 such that y 

˜  y h(y) +  T y < 1

(7)

˜  −(t−y) h(y)

y=−∞

since y =

∞ y=y+1

h(y) +

y y=y

˜ (h(y) − h(y)).

Now, y > t ⇒  −(t−y) > 1 ⇒

Proof. By induction on j. Induction base: for j = 0, by definition v0 = c0 = 0 + c0 = w0 + c0 . Inductive step: vj+1 = max{0, vj − zj Q s } + cj+1 . By inductive hypothesis, this is equal to max{0, wj + cj − zj Q s } + cj+1 , and by definition this is wj+1 + cj+1 . 

y 

h(y)(1 −  −(t−y) ) +  −(t−y) y +

y=t+1

which is known as Lindley recursion (Lindley, 1952). An easy relation between vj and wj is stated in the following. Fact 1.

y 

P{Yj > t} +

t 

y

y=t+1

h(y)(1 −  −(t−y) ) ≤ 0. So,

 −(t−y) h(y) ≤  −(t−y) y +  −t

y=−∞ y 

=  −t ( y y +

y 

˜  y h(y)

y=−∞

˜  y h(y))

y=−∞

Since y < T , 1, hence P{Yj > t} +

y y=−∞

t 

˜  y h(y) +  T y < 1 ⇒

y y=−∞

˜  y h(y) +  y y <

 −(t−y) h(y) ≤  −t

y=−∞

y=−∞

CASE 2: If t > y, using once again Lemma 1, then

then

∀t ≤ T, P{Yj > t} +

t 

 −(t−y) h(y) ≤  −t

P{Yj > t} +

y=−∞

and

y=t+1

˜ h(y) ≤ y , and y =

 −(t−y) h(y) =

y=−∞

Proof. Let us consider two cases: (1) t ≤ y, (2) t > y.  ∞ ˜ CASE 1: If t ≤ y, in view of Lemma 1, then P{Yj > t} ≤ h(y) y=t+1

y

t 

∞

y=y+1

h(y) +

y

y=y

˜ (h(y) − h(y)).

+

y 

 −(t−y) h(y) =

y=−∞

∞ 

h(y) +

y=t+1 ∞  y=y+1

h(y) +

t 

t 

 −(t−y) h(y)

y=y+1

( −(t−y) − 1)h(y)

y=y+1

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156 y 

+

y=−∞ y 

+

∞ 

 −(t−y) h(y) =

y=y+1

∞ 

˜  −(t−y) h(y) ≤≤



t 

( −(t−y) − 1)h(y) +

 −(t−y)

P{Yj > t} +

< 1 ⇒ ( −(t−y)

t 



−(t−y)

˜ (h(y) − h(y)) + y 

y 

˜  −(t−y) h(y)

and since by the Lemma hypotheses w ≤ T ⇒ P{Y > w} +  t ˜ (w − y)h(y) ≤ (w), for values of w lower than or equal y=−∞

than T it holds

y 

P{wj+1 > w} ≤ 

−(t−y) ˜

y y=−∞

 t y < 1, hence

w 

(w − y)h(y) + P{Yj > w} ≤ (w),

y=−∞

h(y)

which ends the proof.  Lemma 4 shows how the bound on the probability P{Yj > t} provided in Lemma 2 can be used to construct a function that respects the properties described in Lemma 3.

˜  y h(y) + y  t )

y=−∞

Restricting to t ≤ T,

t 

y 

(w − y)h(y) + P{Yj > w}

y=−∞

y=−∞

˜  y h(y) =  −t (

P{wj > w − y}h(y) + P{Yj > w}

w 



− 1) < 0; so

h(y) ≤ y +

y=−∞

P{Yj > t} +

˜  −(t−y) h(y)

y=−∞

y=−∞

= y +  −t

w 

y=−∞

y=−∞

y=y+1

Since y < t,

 y

y=−∞

y=y+1

P{wj > w − y}h(y) + P{Y > w}

By inductive hypotheses, P{wj > w} ≤ (w), so

h(y)

y=y+1

y

( −(t−y) − 1)h(y) +

w 

y=−∞

y=−∞



= y +

y 

˜  −(t−y) (h(y) − h(y)) +

t

=

( −(t−y) − 1)h(y)

y=y+1

y=−∞

+

t 

h(y) +

1151

˜  y h(y) +  T y < 1 ⇒

y y=−∞

˜  y h(y) +

Lemma 4. Let T ∈ N be a positive integer. If there exists a real constant  ∈ R with  > 1 such that y 

 −(t−y) h(y) ≤  −t .

˜  y h(y) +  T y < 1

(8)

y=−∞

y=−∞

then

 The second group of Lemmas produces a function (w) such that P{wj > w} ≤ (w). In particular Lemma 3 identifies some properties on the function that make it suitable to serve this purpose. Lemma 3. If (t) is a function ranging in the interval [0, 1] such t (w − y)h(y) ≤ (w), then ∀w ≤ that w ≤ T ⇒ P{Yj > w} + y=−∞ T, P{wj > w} ≤ (w). Proof. The proof is by induction on j. Induction base: P{w0 > w} is obviously less or equal than (w), because w0 = 0 and because () ranges in [0, 1]. Inductive step: P{wj+1 > w} = P{max{0, wj + Yj } > w}. Since w ≥ 0 by definition, P{wj+1 > w} = P{wj + Yj > w}. Now,

P{wj + Yj > w} =

∞ 

=

+

Proof (Theorem 1). As observed in Section 2, the probability to respect a probabilistic deadline ı can be computed as P{fj − rj ≤ ı} = P

P{wj > w − y}h(y)

j Qs



Ts ≤ ı



vj ≤

ı Ts





Q

s

 1−P

P{vj > v} = P{wj + cj > v} = P{wj > w − y}h(y)

P{wj > w − y}h(y) +

y=−∞

 v

 vj >

ı Ts



 Q

s

Now, probability P{vj > v} can be estimated as follows:

∞ 

Since for y > w it holds P{wj > w − y} = 1, w 

Note that the full knowledge of U(c) is not needed to compute a bound for P{Yj > w} (as already noticed for Theorem 1). Based on the previous results, Theorem 1 can now be proved.

P{fj ≤ rj + ı} = P

y=w+1

P{wj + Yj > w} =

Proof. The lemma hypotheses match with the hypotheses of Lemma 2. Hence, P{Yj > w} respects Condition (7). In view of this condition,  −t has the properties required for (t) by Lemma 3. Hence the thesis. 



y=−∞ ∞ 

(9)

This expression is equivalent to:

P{wj > w − y}h(y)

y=−∞ w 

∀w ≤ T, P{wj > w} <  −w .

P{wj > v − c}P{cj = c} =

c=−∞

∞ 

h(y)

y=w+1

=

v  c=0

U(c)P{wj > v − c} +

∞  c=v+1

U(c)

(10)

1152

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

where the last step is justified because v − c < 0 ⇒ P{wj > v − c} = 1. From Lemma 4 it is possible to derive that ∀v ≤ T , P{vj > v} ≤

v 

U(c) −(v−c) +

c=0

∞ 

U(c)

0.15

c=v+1

v  c=0



v  c=0

+

C 



U(c) + c =

c=v+1

0.1

0.05

U(c)

c=C+1

U(c) + c ≤

v 

c=v+1

−(v−c)

∞ 

U(c) +

c=v+1

U(c) −(v−c) +

C 

C 

U(c) −(v−c) +

P{c = t}

Consider two cases: (1) v ≤ C, (2) v > C. CASE 1: If v ≤ C, then

P{vj > v} ≤

0.2

0

U(c) −(v−c)

0

1000

2000

3000

5000

6000

7000

8000

t

c=0 C 

4000

Fig. 1. PMF of the execution times.

U(c)

−(v−c)

+ c

0.35

c=0

0.3

CASE 2: In this case the bound can be computed as follows,

P{vj > v} ≤

U(c) −(v−c) +

c=0



v 

U(c) ≤

c=C+1



v 

U(c) =

U(c) −(v−c) + +

c=C+1 C 

U(c) −(v−c) +

v 

U(c)

U(c) −(v−c) + c

c=C+1

C 

v 

U(c) −(v−c) +

∞ 

c=C+1

c=0

c=0

c=C+1

v 

P{z = t}

0.25 C 

0.2

0.15

0.1

0.05

U(c)( −(v−c) − 1) + c

0 0

c=C+1

2

4

6

8

10

12

t

Since in the second sum c ≤ v ⇒  −(v−c) − 1 ≤ 0, even in this case it

C

Fig. 2. PMF of z.

is P{vj > v} ≤ U(c) −(v−c) + c . c=0 This bound on the probability P{vj > v} can be plugged into Eq. (10) producing our thesis. 

1 0.9 0.8

Notice that Yj represents the variation between the amount of execution time yet to be served immediately before (or immediately after) two consecutive arrivals. In other words, if Yj is negative then the amount of “accumulated” execution time vj decreases; otherwise it increases. If Q s ≥ C/z (where z is the minimum value of z), then C − Q s z ≤ 0, so P{cj − Qs zj > 0} ≤ c ⇒ P{Yj > 0} ≤ c . Hence, ∀ > y ˜  y h(y) > 0} ≤ c (and if c = 0 then Yj is always <0 and 1, P{

0.7

P{Y <= t}

4. Discussion

0.6 0.5 0.4 0.3 0.2

y=−∞

all the jobs finish before the arrival of the next job). On the other hand, it can be shown that if Qs ≤ E[c]/E[z], then it y ˜  y h(y) < 1 (this is not possible to find a value of  such that y=−∞

is consistent with the fact that a queue with a load ≥1 is not stable). As a result, Qs must be larger than E[c]/E[z]. To better understand how the various scheduling parameters affect the probability distribution of Yj , consider a simple example with the execution times and inter-arrival times distributed as in Figs. 1 and 2. The resulting PMFs for Yj have been computed (as explained in the previous section) for different values of Qs ranging from the minimum possible (1000) to almost the maximum (1900), and the results are displayed in Fig. 3. From the figure, it can be noticed that increasing Qs , h(y) is shifted left (meaning that the

0.1 0 -20000

-15000

-10000

-5000

0

5000

t Fig. 3. CDF of Yj for various values of Qs .

probability to decrease the amount of remaining computation time is increased). Remember that to find a pessimistic estimation of the probability to respect a probabilistic deadline, a value of  satisfying Eq. (6) must be found. Since in this simplified example we have y ˜ c = 0 ⇒ y = 0, the condition is simplified to  y h(y) < 1. To y=−∞

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156 1000

1

1

100

0.8

10

0.6

P{f - r <= δ}

gQs(γ)

1153

1

0.1

0.4

0.2

0.01 1

1.0005

Fig. 4. gQ s () =

1.001

y t=−∞

γ

1.0015

1.002

0

1.0025

0

50000

100000

150000

200000

250000

δ

˜  t h(t) for various values of Qs .

Fig. 6. Probabilistic deadlines according to various methods, and obtained through simulation. Qs = 1400 ms.

show how the choice of Qs impacts on the choice of , the differy ˜ ent functions gQ s () =  t h(t) for different values of Qs have t=−∞

been computed, and are displayed in Fig. 4. It is possible to notice how for Qs = 1900 (close to the hard schedulability condition) the gQ s is decreasing, and will cross the g1900 () = 1 line only for large values of  (for Qs = 2000, such a line is never crossed). 5. Experimental results The presented analysis technique has been implemented in a set of utilities using fairly portable C code. Dichotomic search is used to find proper values for . The resulting library of functions can be used to implement off-line design tools, or on-line admission tests (even in slower CPUs, as it will been shown in this section) and is freely available (downloadable from http://www.disi.unitn.it/ abeni/gamma-bound.tgz). This software has been used to compute the conservative bounds as discussed in this paper, and to validate them through a comparison with simulations and with the “exact” probability distributions obtained by numerically solving the eigenvector problem (Abeni and Buttazzo, 2001). These comparisons have been performed through an extensive set of tests and experiments presented in this section. Such experiments confirmed that the bound is conservative, in perfect accordance with our theoretical expectations.

In a first batch of experiments, the two synthetic PMF distributions for c and z represented in Figs. 1 and 2 have been used. The server period Ts was chosen equal to Ts = 20,000 ␮s. Different values for Qs were considered spanning the interval between 1000 ␮s (minimum) to 2000 ␮s (maximum). Some of the bounds obtained for the CDF are shown in Fig. 5. The bounds have then been compared with the exact CDF and with the empirical distribution obtained from a long simulation run. The workload of the system has been increased by inserting additional real-time tasks (up to utilisation 1) to make sure that the task only receives the reserved computation time (without reclaiming unused bandwidth). Some of the results are reported in Figs. 6 and 7, showing that not only is the new bound conservative, but the gap from the exact distribution is relatively narrow. The worst case response time should be multiple of the server period Ts (since in the worst case the budget Qs is received at the very end of each server period). However, the empirical distributions obtained from simulation do not exhibit this behaviour (the CDF is not structured as a sequence of step with break points coincident with integer multiples of Ts ). This is suggestive of a potential inadequacy of the empirical method for worst case analysis, since it does not seem to capture the worst case patterns. In a next set of experiments, the performance of the proposed approach has been evaluated by measuring the amount of time

1 1

0.8

P{f - r <= δ}

P{f - r <= δ}

0.8

0.6

0.4

0.6

0.4

0.2 0.2

0 0

0 0

100000

200000

300000

400000

500000

δ Fig. 5. Pessimistic bounds of the CDF of the response times for various values of Qs .

50000

100000

δ

150000

200000

250000

Fig. 7. Probabilistic deadlines according to various methods, and obtained through simulation. Q = 1900.

1154

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156 1

0.06

0.05

0.8

0.04

P{fj - rj <= δ}

P{c = t}

0.6 0.03

0.02

0.4

0.2 0.01

0

0 0

5000

10000

15000

20000

0

25000

50000

needed to compute the bound and comparing it with the amount of time needed to numerically compute the exact CDF. A periodic task with period P = 200 ms and a randomly generated PMF of the execution times U(c) (with c varying between 10 ms and 40 ms), served by a (30 ms, 100 ms) reservation, has been considered, and the probability P{ı < 100 ms} has been computed 100 times (using 100 different PMFs). Each PMF is composed by 300 samples. The tests have been executed on various systems, characterised by different CPU speeds: a PC based on an Intel Core2 Duo CPU running at 2.60 GHz (core2 in the table), a BeagleBoard (an embedded board based on an ARM CPU),2 a PowerPC 750CX running at 500 MHz (ppc in the table), a FoxBoard (an embedded board based on an Etrax LX system on chip running at 100 MHz),3 and a FLEX (an embedded board based on a Microchip dsPIC DSC microcontroller).4 The results are shown in Table 1, that presents the average times for finding the bound (including the time needed to compute a correct value for , using dichotomic search) and their 95% confidence intervals. The average times needed to compute the exact solution (and their confidence intervals) are also shown for the systems on which it was possible to compute the exact solution. This experiment shows that using the proposed bound on-line admission control is feasible on almost all of the tested systems, with the only exception is the FoxBoard and the FLEX. Using a resampling of the execution times PMF Diaz et al. (2004), Refaat and Hladik (2010) to reduce its size to 15 samples, the average computation times for the bound are reduced to 135.901 ms with a 95% confidence interval of 0.548 ms for the FoxBoard (notice that even with the resampled PMF, the time needed to compute the exact solution on a FoxBoard is quite large – more than 10 s), and to 22.1 ms with a 95% confidence interval of 7.464 ms for the FLEX. Other similar tests have been repeated, with different kinds of tasks, and consistently reported a speedup of at least 400 times. In order to check the bound on a more realistic example, a video player has been instrumented, measuring the execution times PMF represented in Fig. 8. Since the video is 25 fps (frames per second), the player is modelled as a periodic task with period P = 40 ms. The proposed technique has been used to compute the CDF of the response times when the player is scheduled by using a (6 ms, 20 ms) reservation (hence, Ts is half of the task period, and T(z) / 2). The results is a delta function with T(2) = 1 and T(z) = 0 for z = are reported in Fig. 9, along with the exact CDF (obtained by

3 4

http://www.beagleboard.org. http://foxlx.acmesystems.it. http://www.evidence.eu.com/content/view/114/204.

200000

numerically solving the eigenvector problem) and with some empirical distribution, constructed from simulation as discussed in the previous experiment (additional real-time tasks have been inserted to increase the utilisation up to 1). As for the previous example, the bound results correctly conservative (the CDF estimated with the bound remains below the exact one) and the gap from the actual CDF is acceptable. Once again, the CPU time required to compute the bound is between two and three orders of magnitude smaller than from the exact solution. Figs. 10 and 11 compare the conservative bounds with empirical distributions for different values of Qs , confirming the previous findings. Fig. 12 shows the effects of an unknown tail in the PMF of the execution times, by comparing the bound obtained with Qs = 10 ms assuming a complete knowledge of the PMF with the bounds obtained (for the same value of Qs ) assuming c = 10−3 , 10−4 , 10−5 . Note that when c > 0 the probabilistic deadlines are very conservative but this is the price to be paid to tolerate a partial knowledge of the execution times. After that, the impact of the server period Ts on the probabilistic deadlines has been evaluated by computing the bound for different values of the server period. Ts affects the final results by changing the degree of pessimism in the generation of T(z) (see Eq. (1)) and by changing the granularity of the CPU time allocation (and hence the size of the steps in the PMF of the response times). For example, consider the inter-arrival times distributed according to the PMF

1

0.8

0.6

0.4

0.2

0 2

150000

Fig. 9. Probabilistic deadlines according to various methods, and obtained through simulation.

P{fj - rj <= δ}

Fig. 8. U(c) for a video player.

100000

δ

t

0

50000

100000

δ

150000

200000

Fig. 10. Probabilistic deadlines bound vs simulation results. Q = 10 ms.

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

1155

Table 1 Solution times on different devices. System

Time for bound

Confidence interval

Time for exact solution

Confidence interval

core2 ppc BeagleBoard FoxBoard FLEX

0.562 ms 4.775 ms 8.817 ms 2582.697 ms 301.9 ms

0.013 ms 1.317 ms 1.436 ms 2.106 ms 0.678 ms

807.636 ms 31,547.189 ms 32,518.927 ms – –

12.413 ms 21.385 ms 2.926 ms – –

I(t) described in Fig. 13. The CDFs of z, for various values of Ts (ranging from 1000 to 20,000) are displayed in Fig. 14. The CDF of the response times obtained with a uniform execution time (average 21,000) and Qs = 0.6Ts are shown in Fig. 15. Finally, the proposed bounds have been applied to a real-world application: a video tracking task with the execution times shown in Fig. 16 and period 40 ms. Notice that in this application, c = 53 ms is larger than the period, so it is not possible to schedule the periodic task without any deadline miss. According to the application’s requirements, at least 80% of the deadlines have to be respected, and by applying the proposed analysis with Ts = 10 ms, it has been possible to verify that with Qs = 8.2 ms such a requirement is respected.

1

P{fj - rj <= δ}

0.8

0.6

0.4

0.2

0 0

50000

100000

150000

200000

δ 1

Fig. 11. Probabilistic deadlines bound vs simulation results. Q = 15 ms. 1

P{rj + 1 - rj <= z * Ts}

0.8

0.8

P{f - r <= δ}

0.6

0.4

0.6

0.4

0.2

0.2 0

0

20000

40000

60000

80000

100000

z 0 0

20000

40000

60000

80000 100000 120000 140000 160000 180000

δ

Fig. 14. CDF of z obtained from I(t) described in Fig. 13 and Ts = {1000, 5000, 10,000, 15,000, 20,000}.

Fig. 12. Probabilistic deadlines for Qs = 10 ms and various values of c . 0.05

1

0.045 0.04

0.8

0.03

P{fj - rj <= δ}

P{rj + 1 - rj = t}

0.035

0.025 0.02 0.015 0.01

0.6

0.4

0.2

0.005 0 20000

30000

40000

50000

60000

t Fig. 13. I(t) for an example task.

70000

80000

0 0

2e+08

4e+08

6e+08

8e+08

δ

1e+09

1.2e+09 1.4e+09 1.6e+09

Fig. 15. Probabilistic deadlines for different values of Ts .

1156

L. Abeni et al. / The Journal of Systems and Software 85 (2012) 1147–1156

0.045 0.04 0.035

P{c = t}

0.03 0.025 0.02 0.015 0.01 0.005 0 15000

20000

25000

30000

35000

40000

45000

50000

55000

60000

t Fig. 16. U(c) for a video tracking task.

6. Conclusions and future work This paper presented a new method for analysing soft real-time systems through probabilistic deadlines, when a reservation-based scheduler is used. Respect to previous approaches, (which computed the exact probability distributions by numerically solving an eigenvector problem) the proposed approach is faster, and is robust against uncertainties in the execution times distribution. As a future work, a new strategy for finding a proper value of  (based on discrete Fourier transforms) will be investigated, and the bounds will be compared with some closed-form solutions that can be obtained in some special cases. References Abeni, L., Buttazzo, G., 1998. Integrating multimedia applications in hard realtime systems. In: Proceedings of the 19th IEEE Real-Time Systems Symposium (RTSS’98), Madrid, Spain, pp. 4–13. Abeni, L., Buttazzo, G., 1999. Qos guarantee using probabilistic deadlines. In: Proceedings of the 11th Euromicro Conference on Real-Time Systems (ECRTS’99), York, England, pp. 242–249. Abeni, L., Buttazzo, G., 2001. Stochastic analysis of a reservation-based system. In: Proceedings of the 15th International Parallel and Distributed Processing Symposium (IPDPS’01), San Francisco, CA, pp. 946–952. Atlas, A.K., Bestavros, A., 1998. Statistical rate monotonic scheduling. In: Proceedings of the 19th IEEE Real-Time Systems Symposium (RTSS’98), Madrid, Spain, pp. 123–132. Cucu, L., Tovar, E., 2006. A framework for the response time analysis of fixed-priority tasks with stochastic inter-arrival times. ACM SIGBED Review 3, 7–12, Special issue: The work-in-progress (WIP) session of the RTSS 2005. Diaz, J.L., Garcia, D.F., Kim, K., Lee, C.G., Lo Bello, L., López, J.M., Min, S.L., Mirabella, O., 2002. Stochastic analysis of periodic real-time systems. In: Proceedings of the 23rd IEEE Real-Time Systems Symposium (RTSS’02), Austin, TX, pp. 289–300. Diaz, J.L., López, J.M., Garcia, M., Campos, A.M., Kim, K., Lo Bello, L., 2004. Pessimism in the stochastic analysis of real-time systems: concept and applications. In: Proceedings of the 25th IEEE Real-Time Systems Symposium (RTSS’04), Lisbon, Portugal, pp. 197–207. Fontanelli, D., Greco, L., Palopoli, L., 2010. Adaptive reservations for feedback control. In: Proceedings of the 48th IEEE Conference on Decision and Control (CDC 2010), Atlanta, GA, pp. 4236–4243.

Gardner, M.K., Liu, J.,1999. Analyzing stochastic fixed-priority real-time systems. In: Proceedings of the 5th International Conference on Tools and Algorithms for Construction and Analysis of Systems (TACAS’99). Springer, Amsterdam, The Netherlands, pp. 44–58. Hamann, C.J., Reuther, L., Wolter, J., Haertig, H., Loser, J., Schonberg, S., 2001. Qualityassuring scheduling-using stochastic behavior to improve resource utilization. In: Proceedings of the 22nd IEEE Real-Time Systems Symposium (RTSS’01), London, England, pp. 119–128. Heyman, D.P., Sobel, J.M., 1982. Stochastic Models in Operations Research, vol. I: Stochastic Processes and Operating Characteristics. McGraw-Hill. Kaczynskit, G.A., Lo Bello, L., Nolte, T., 2007. Deriving exact stochastic response times of periodic tasks in hybrid priority-driven soft real-time systems. In: Proceedings of the IEEE Conference on Emerging Technologies and Factory Automation (ETFA 2007), Patras, Greece, pp. 101–110. Kang, D.I., Gerber, R., Sakena, M., 1997. Performance-based design of distributed real-time systems. In: Proceedings of the 3rd IEEE Real-Time Technology and Applications Symposium (RTAS’97), pp. 2–13. Kim, K., Diaz, J.L., Lo Bello, L., López, J.M., Lee, C.G., Min, S.L., 2005. An exact stochastic analysis of priority-driven periodic real-time systems and its approximations. IEEE Transactions on Computers 54, 1460–1466. Lehoczky, J.P., 1996. Real-time queueing theory. In: Proceedings of the 17th IEEE Real-Time Systems Symposium (RTSS’96), Los Alamitos, CA, USA, pp. 186–195. Lindley, D., 1952. The theory of queues with a single server. Proc. Camb. Phil. SOc 48, 277–289. Mercer, C.W., Savage, S., Tokuda, H., 1994. Processor capacity reserves: Operating systems support for multimedia applications. In: Proceedings of the IEEE International Conference on Multimedia Computing and Systems, Boston, MA, pp. 90–99. Mills, A., Anderson, J., 2010. A stochastic framework for multiprocessor soft realtime scheduling. In: Proceedings of the 16th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS’10), Stockholm, Sweden, pp. 311–320. Palopoli, L., Abeni, L., Buttazzo, G., Conticelli, F., Di Natale, M., 2000. Real-time control system analysis: an integrated approach. In: Proceedings of the 21st IEEE RealTime Systems Symposium (RTSS’00), Orlando, FL, pp. 131–140. Rajkumar, R., Juvva, K., Molano, A., Oikawa, S., 1998. Resource kernels: a resourcecentric approach to real-time and multimedia systems. In: Proceedings of the SPIE/ACM Conference on Multimedia Computing and Networking, San Jose, CA, pp. 150–164. Refaat, K.S., Hladik, P.E., 2010. Efficient stochastic analysis of real-time systems via random sampling. In: Proceedings of the 22nd Euromicro Conference on RealTime Systems (ECRTS’10), Brussels, Belgium, pp. 175–183. Tia, T.S., Deng, Z., Shankar, M., Storch, M., Sun, J., Wu, L.C., Liu, J.W.S., 1995. Probabilistic performance guarantee for real-time tasks with varying computation times. In: Proceedings of the 1st IEEE Real-Time Technology and Applications Symposium (RTAS’95), Chicago, IL, pp. 164–173. Luca Abeni is assistant professor at DISI, University of Trento. He graduated in computer engineering from the University of Pisa in 1998, and has been a PhD student at Scuola Superiore S. Anna, Pisa from 1999 to 2002 doing research on real-time operating systems, scheduling algorithms, quality of service management, and multimedia applications. He received the PhD degree in 2002. His main research interests are Operating Systems, real-time systems, audio/video streaming, and resource allocation algorithms for QoS management. Nicola Manica received the MSc degree in Computer Science from the University of Trento, Trento, Italy, where he is currently working toward the PhD degree in embedded electronics and computing systems with the Department of Information Engineering and Computer Science. From September 2011 he is a visiting student in the Operating Systems Group at the Technische Universität Dresden. His main research interests include scheduling, resource allocation and probabilistic modeling. Luigi Palopoli graduated with a degree in computer engineering from the University of Pisa, Pisa, Italy, in 1992, and received the PhD degree in computer engineering from Scuola Superiore SantAnna, Pisa, in 2002. He is an Associate Professor of Computer Engineering at the University of Trento. His main research activities are in embedded system design with a particular focus on resource-aware control design and adaptive mechanisms for QoS management. He has served in the program committee of different conferences in the area of real-time and control systems.