- Email: [email protected]
Schedulability Analysis of Hierarchical Systems with Arbitrary Scheduling in the Global Level
Proceedings of the 2nd IFAC Conference on Embedded Systems, Proceedings of Intelligence the 2nd IFAC Conference oninEmbedded Computational and Telematics Control Systems, Proceedings the Conference on Systems, Proceedings of of Intelligence the 2nd 2nd IFAC IFAC Conference oninEmbedded Embedded Systems, Computational and Telematics Control Available online at www.sciencedirect.com June 22-24, 2015. Maribor, Slovenia Computational Intelligence and Telematics in Computational Intelligence and Telematics in Control Control June 22-24, 2015. Maribor, Slovenia June 22-24, 22-24, 2015. 2015. Maribor, Maribor, Slovenia Slovenia June
ScienceDirect
IFAC-PapersOnLine 48-10 (2015) 264–269
Schedulability Analysis of Hierarchical Schedulability Analysis of Hierarchical Schedulability Analysis of Schedulability AnalysisScheduling of Hierarchical Hierarchical Systems with Arbitrary in the Systems with Arbitrary Scheduling in the Systems with Arbitrary Scheduling in the Systems with Arbitrary Scheduling in the Global Level Global Level Global Level Level Global
∗∗∗ Balbastre Patricia ∗∗ ∗∗ Brocal Vicent ∗∗∗ Balbastre Patricia ∗∗ Brocal Vicent ∗∗∗ ∗∗∗∗ ∗∗ Brocal Vicent ∗∗∗ Balbastre Patricia Crespo Alfons ∗∗∗∗ Balbastre Patricia Brocal Vicent Crespo Alfons ∗∗∗∗ Crespo Crespo Alfons Alfons ∗∗∗∗ ∗ ∗ Institute of Control Systems and Industrial Computing (ai2), ∗ Institute of Control Systems and Industrial Computing (ai2), ∗ Institute of Systems and Industrial Valencia, Spain (e-mail: Institute of Control Control Systems [email protected]). Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail: [email protected]). ∗∗ Valencia, Spain (e-mail: [email protected]). Institute of Control Systems and Industrial Computing (ai2), ∗∗ Valencia, Spain (e-mail: [email protected]). ∗∗ Institute of Control Systems and Industrial Computing (ai2), ∗∗ Institute of Systems and Industrial Valencia, Spain (e-mail: Institute of Control Control Systems [email protected]) Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail: [email protected]) ∗∗∗ Valencia, Spain (e-mail: [email protected]) Innovative Software Solutions (FentISS) (e-mail: ∗∗∗ Fent Valencia, Spain (e-mail: [email protected]) ∗∗∗ Fent Innovative Software Solutions (FentISS) (e-mail: ∗∗∗ Fent [email protected]) Software Fent [email protected]) Software Solutions Solutions (FentISS) (FentISS) (e-mail: (e-mail: ∗∗∗∗ [email protected]) Institute of Control Systems and Industrial Computing (ai2), ∗∗∗∗ [email protected]) ∗∗∗∗ Institute of Control Systems and Industrial Computing (ai2), ∗∗∗∗ Institute of Systems Industrial Valencia, Spain (e-mail:and [email protected]) Institute of Control Control Systems Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail:and [email protected]) Valencia, Valencia, Spain Spain (e-mail: (e-mail: [email protected]) [email protected]) Abstract: Schedulability analysis of hierarchical real-time systems is based in the previous Abstract: Schedulability analysis of hierarchical real-time systems is based in the previous Abstract: of is based knowledge ofSchedulability the schedulinganalysis algorithms both in thereal-time local and systems the global Abstract: Schedulability analysis of hierarchical hierarchical real-time systems is levels. based in in the the previous previous knowledge of the scheduling algorithms both in the local and the global levels. knowledge of the scheduling in the local and the global levels. In a partitioned system withalgorithms safety andboth security issues and certification assurance levels, the knowledge of the scheduling algorithms both in the local and the global levels. In a partitioned system with safety and security issues and certification assurance levels, the In a with safety and assurance levels, the global scheduling system is usually generated usingsecurity a static issues table. Therefore, each partition must allocate In a partitioned partitioned system with safety and and security issues and certification certification assurance levels, the global scheduling is usually generated using a static table. Therefore, each partition must allocate globaljobs scheduling is usually usually generated using a static staticfor table. Therefore, each partition musttable allocate task only in the temporal windows reserved thatTherefore, partition. each Evenpartition if the static can global scheduling is generated using a table. must allocate task jobs only in the temporal windows reserved for that partition. Even if the static table can task jobs only the for Even the table can come originally a periodicwindows server orreserved other scheduling policy, the finalif can suffer task jobs only in infrom the temporal temporal windows reserved for that that partition. partition. Even ifplan the static static tablefrom can come originally from a periodic server or other scheduling policy, the final plan can suffer from come originally from a periodic server or other scheduling policy, the final plan can suffer from modifications due to changes in the system requirements. As a consequence, the CPU assignment come originally from a periodic server or other scheduling policy, the final plan can suffer from modifications due to changes in the system requirements. As aa consequence, the CPU assignment modifications changes system the CPU assignment to a partition due doesto have in to the correspond to any knownAs In this case, is not possible modifications due tonot changes in the system requirements. requirements. Aspolicy. a consequence, consequence, the it CPU assignment to a partition does not have to correspond to any known policy. In this case, it is not possible to a partition does not have to correspond to any known policy. In this case, it is not possible use existing does scheduling analysis for hierarchical systems. This paper provides aisschedulability to a partition not have to correspond to any known policy. In this case, it not possible to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability analysis when the global level policy is not known but provided as a set of arbitrary time to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability analysis when the global level policy is not known but provided as aa set of arbitrary time analysis when the global level policy is not known but provided as set of arbitrary time windows. The paper also provides a method to determine the more restrictive CPU assignment analysis when the global level policy is nottoknown but the provided as a set ofCPU arbitrary time windows. The paper also provides a method determine more restrictive assignment windows. The paper also provides a method to determine the more restrictive CPU assignment for a task set, as a mean of stablishing minimum temporal requirements for the partition. windows. The paper also of provides a method to determine the more restrictive CPU assignment for a task set, as a mean stablishing minimum temporal requirements for the partition. for a set, as stablishing minimum temporal requirements for the partition. for a task task set,(International as a a mean mean of of stablishing minimumControl) temporal requirements © 2015, IFAC Federation of Automatic Hosting by Elsevier for Ltd.the Allpartition. rights reserved. Keywords: Partitioned embedded systems; Real-time algorithms, scheduling, schedulability, Keywords: Partitioned Partitioned embedded embedded systems; systems; Real-time Real-time algorithms, Keywords: algorithms, scheduling, scheduling, schedulability, schedulability, temporal time analysis. Keywords:predictability, Partitioned embedded systems; Real-time algorithms, scheduling, schedulability, temporal predictability, time analysis. analysis. temporal predictability, time temporal predictability, time analysis. 1. INTRODUCTION For the last decade, the European space sector has adapted 1. INTRODUCTION INTRODUCTION For the the last last decade, decade, the the European European space space sector sector has has adapted 1. For the approach for the space for the 1. INTRODUCTION For initial the lastIMA decade, the European spacerequirements sector has adapted adapted the initial IMA approach for the the space space requirements for the the the initial IMA approach for requirements for new satellite generation (Windsor and Hjortnaes (2009)). the initial IMA approach for the space requirements for the In the last years, modern computing systems have in- new satellite generation (Windsor and Hjortnaes (2009)). In the the last last years, years, modern modern computing computing systems systems have have inin- new satellite (Windsor and Hjortnaes (2009)). The IMA-SPgeneration project was focused mono-processors In new (Windsor andon (2009)). creased its processing capabilities and its computational The satellite IMA-SPgeneration project was was focused onHjortnaes mono-processors In the last years, modern computing systems have in- The creased its processing capabilities and its computational IMA-SP project focused on mono-processors (IMA (2011-13)). The platform defines a virtualization creased its processing capabilities and its computational The IMA-SP project was focused on mono-processors resources in such a way that they are capable of executing (IMA (2011-13)). (2011-13)). The The platform platform defines defines aa virtualization virtualization creased and its computational resourcesitsin inprocessing such aa way waycapabilities that they they are are capable of executing executing (IMA that platform permits the execution of several resources that (IMA (hypervisor) (2011-13)). The defines a virtualization several concurrent real-time applications thatof for- layer layer (hypervisor) that permits permits the the execution of several several resources in such such a way that they are capable capable ofwould executing several concurrent real-time applications that would forlayer (hypervisor) that execution partitions. Each partition can contain a guest of operating several concurrent real-time applications that would forlayer (hypervisor) that permits the execution of several merly have required several embedded systems. Scheduling partitions. Each partition can contain a guest operating several concurrent real-time applications that would formerly have have required required several several embedded embedded systems. systems. Scheduling Scheduling partitions. partition can contain aa guest operating system andEach the application software. The hypervisor is merly partitions. Each partition can contain guest operating different real-time applications in a mono-processor not system and and the the application application software. software. The The hypervisor hypervisor is is merly have requiredapplications several embedded systems. Scheduling different real-time in a mono-processor not system in charge of assuring temporal and spatial isolation of different real-time in aa also mono-processor not system andof the application software. The hypervisor is only achieves a costapplications reduction but offers the possiin charge charge assuring temporal and spatial isolation of different real-time applications in it mono-processor not in only achieves a cost reduction but it also offers the possipartitions. only achieves aa cost reduction but it also offers the possiin charge of of assuring assuring temporal temporal and and spatial spatial isolation isolation of of bility of performance enhancement and closer integration partitions. only achieves cost reduction but it also offers the possibility of of performance performance enhancement enhancement and and closer closer integration integration partitions. bility partitions. of distinct applications. See Zhang and bility of performance enhancement and Burns closer (2007). integration An IMA development process involves several roles as: of distinct applications. See Zhang and Burns (2007). An IMA IMA development development process process involves involves several several roles roles as: as: of distinct applications. See Zhang and Burns (2007). An of distinct applications. See Zhang and Burns (2007). An development involves several roles as: to In many domains such as avionics, space or industrial (1)IMA System Architect process (SA): The SA has responsibility In many domains such as avionics, space or industrial (1) System System Architect Architect (SA): (SA): The The SA SA has has responsibility to to In many domains such as space industrial control constraints, and (1) In manysystems, domainshard suchreal-time as avionics, avionics, space or orsafety industrial overall (SA): system requirements and the sys(1) define Systemthe Architect The SA has responsibility responsibility to control systems, hard real-time constraints, safety and define the overall system requirements and the syscontrol systems, hard real-time constraints, safety and security issues and certification assurance levels are comdefine the overall system requirements and the syscontrol systems, hard real-timeassurance constraints, safety and tem design, including the optimal decomposition into define the overall system requirements and the syssecurity issues and certification levels are comtem design, including the optimal decomposition into security issues certification assurance levels are monly required. Integrated Modular Avionics (IMA) was tem design, including the into security issues and and certification assurance levels are comcomhosted partitions jointly with thedecomposition detailed resource tem design, including the optimal optimal into monly required. required. Integrated Modular Avionics (IMA) was hosted partitions jointly with the thedecomposition detailed resource resource monly Integrated Modular an architectural proposal emerged as Avionics a design (IMA) conceptwas to hosted partitions jointly with detailed monly required. Integrated Modular Avionics (IMA) was allocation per partition. hosted partitions jointly with the detailed resource an architectural proposal emerged as a design concept to allocation per per partition. partition. an architectural proposal emerged as concept to integrate in a hardware platform several applications with an architectural proposal emerged as aa design design concept to (2) allocation System Integrator (SI): The SI is responsible for allocation per partition. integrate in aa hardware hardware platform several applications with (2) System Integrator (SI): The The SI SI is is responsible responsible for for integrate in platform several applications with different levels of criticality. IMA approach proposes to (2) System Integrator (SI): integrate in a hardware platform several applications with verifying the feasibility ofThe the SI system requirements (2) System Integrator (SI): is responsible for different levels of criticality. IMA approach proposes to verifying the feasibility of the system requirements different levels of IMA proposes to encapsulate functions into partitions configuring a partiverifying feasibility requirements different levels of criticality. criticality. IMA approach approach proposes to defined bythe the SA, as of wellthe assystem responsible for the verifying the feasibility of the system requirements encapsulate functions into partitions configuring a partidefined by by the the SA, SA, as as well well as responsible responsible for for the the encapsulate functions into configuring aa partitioned system. Partitioned architectures isolate software defined encapsulate functions into partitions partitions configuring particonfiguration andSA, integration of all components. defined by the as well as as responsible for the tioned system. system. Partitioned architectures isolate software software configuration and integration of all components. tioned Partitioned architectures isolate components into independent partitions whose execution and of all tioned system. architectures isolateexecution software (3) configuration Application (AS): An is responsible for configurationSuppliers and integration integration of AS all components. components. components intoPartitioned independent partitions whose whose (3) Application Application Suppliers (AS): An An AS is responsible responsible for for components into shall not interfere with that ofpartitions other partitions, preserv(3) Suppliers AS is components into independent independent partitions whose execution execution the development of an(AS): application according to the (3) Application Suppliers (AS): An AS is responsible for shall not interfere with that of other partitions, preservthe development of an application according to the shall not with of partitions, preserving temporal and spatial isolation. Several projects have the development of an application the shall not interfere interfere with that that of other other partitions, preservoverall requirements from the SA andaccording the SI. ASto shall the development of an application according to the ing temporal and spatial isolation. Several projects have overall requirements requirements from from the the SA SA and the the SI. SI. AS AS shall shall ing temporal and isolation. Several projects have successfully using this approach the avionic overall ing temporaldeveloped and spatial spatial isolation. Several in projects have verify that the allocated safety parameoverall requirements from budget the SA and and the SI. AS shall successfully developed using this approach approach in the avionic avionic verify that the allocated budget and safety paramesuccessfully developed using this in the market. verify that the allocated budget and safety paramesuccessfully developed using this approach in the avionic verify that the allocated budget and safety paramemarket. market. market.
Guasque Guasque Guasque Guasque
Ana ∗∗ Ana ∗ Ana Ana ∗
Copyright©©2015, 2015 IFAC (International Federation of Automatic Control) 264 Hosting by Elsevier Ltd. All rights reserved. 2405-8963 Copyright © 2015IFAC IFAC 264 Copyright 2015 IFAC 264 Peer review© of International Federation of Automatic Copyright ©under 2015responsibility IFAC 264Control. 10.1016/j.ifacol.2015.08.142
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
ters are respected. Assuming that each application is located in a partition and a partition can have only one application, an AS can also be called Partition Developer (PD). There are other roles in the process but due to space restrictions we only detail those interesting for the purpose of the paper. For a complete description of the main roles and responsibilities see (IMA-SP. Integrated Modular Avionics for Space (2011-13)). A key element in the development process and the final execution is the configuration of the system defined by the SA, which includes the components description and the resource allocation. This is identified as configuration data or configuration file. In order to preserve the confidentiality of the developing process, a configuration data is split and delivered to each PD with the required information for the application development. Regarding the allocation of temporal resources, the SI is responsible for CPU allocation to applications while the PD shall manage the time budget assigned to its tasks by the SI. Then, a partition does not have all the time assigned to schedule its tasks, but only certain slots throughout the hyper-period. To satisfy the temporal resource requirements of the partition, the system must supply sufficient computational resources. The list of assigned slots is provided by the SI, that is in charge of assuring the feasibility in the global level. Thus, PD’s give to the SI its temporal requirements, normally in the form of CPU bandwidth. The SI calculates and assigns this bandwidth to partitions using a well known bandwidth server or it can assign it using a cyclic scheduling. ARINC 653 standard (Avionics Application Software Standard Interface (ARINC-653) (2006)) defines a hierarchical scheduling where a static cyclic executive scheduler is used in the global level. If the assignment is made using a bandwidth algorithm, the corresponding feasibility tests are available in the literature so the PD can apply them to know if its tasks are schedulable with this slots assignment (see section 5). On the contrary, if the assignment is made by the SI in an arbitrary way (i.e. not following any existing scheduling algorithm) the authors are not aware of any paper that addresses and solves this problem. Moreover, schedulability tests for hierarchical systems are based on calculating the worst case response time of tasks in the local level and adding the worst case overhead due to the global level. But, if the scheduling policy is not known in the global level, existing schedulability tests can not apply. Our aim is to generalized the global level model characterizing it by a slots assignment (arbitrary CPU supply as we will comment later). 1.1 Contributions and outline The problem to be addressed is concerned with the schedulability of a hierarchical system composed of two levels. The global level policy is not known but provided by the SI as a set of arbitrary time slots. By arbitrary we understand that are not derived from any known scheduling algorithm 265
265
in the global level. We provide a schedulability analysis so the PD can accept the slots assignment. In the local level, we will assume EDF. Obviously, our results can be used even if the scheduling algorithm in the global level is known. The results presented in this paper are also useful in the other direction. This paper provides a method to determine the more restrictive assignment slots for a task set, as a mean of minimum requirements that the SI assignment must meet. If the global level policy is known and based on a periodic server, our contributions will provide an alternative way of deducing the solution space for the server parameters. The paper is organized as follows: Section 2 presents the model and notation used, while in section 3 the calculation of the minimum supply bound function is explained. The schedulability test is presented in section 4. Section 5 presents the most important works in the field of hierarchical scheduling. Finally, section 6 summarizes the contributions of the paper and future lines of work. 2. SYSTEM MODEL AND NOTATION Our model is concerned with the pre-emptive scheduling of real-time applications on an uniprocessor. Each application consists of a number of partitions P1 , .., Pm . Each partition comprises a number of tasks. Thus, our hierarchical system has two levels, the partition (or global) level and the task (or local) level, each of them with its own scheduling policy. In this work, we will assume that the local level is scheduled under EDF scheduling policy and the global level is scheduled under any scheduler. Global scheduling information is provided as temporal windows or slots, in which a partition is allowed to execute. From now on, the sub index used to refer to a partition will be omitted to simplify the notation. Therefore, a partition P can be defined 1 in a formal way as a tuple P = {τ, R} where: (1) τ = {τ1 , τ2 , .., τn } is a set of n tasks. A task τi is characterized by a tuple τi = {φi , Ci , Di , Ti } where φi is the offset, Ci is the worst case computation time, Di is the relative deadline and Ti is the period. When all parameters to the system are integers, we may assume without loss of generality that all preemptions occur at integer time values. We then assume, for the remainder of the paper, that all parameters are indeed integers. Moreover, constrained deadlines are assumed so Di ≤ Ti . (2) An arbitrary CPU supply, R, is represented by a sequence of p intervals I1 , I2 , ..., Ip . Every Ii / 1 ≤ i ≤ p is a closed interval Ii = [si , ei ] repited every lcmτ 2 , so that 0 ≤ si < ei < si+1 and ep ≤ lcmτ . Therefore, ∀t exists a unique interval Ii so that si ≤ t ≤ ei . The CPU supply R for a partition determines the p temporal slots in which tasks allocated to the partition are allowed to execute. 1 In the definition of the partition we omit all non-temporal resources 2 Least Common Multiple of T , .., T n 1
CESCIT 2015 266 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
The problem to solve is concerned with the schedulability of the partition, that is, if task set τ can be scheduled without deadline misses in the slots defined by R. 2.1 Supply bound function Although we have characterized R as a set of intervals, it can also be defined as a function. Given a CPU supply R and interval of length t, the supply bound function gives the minimum amount of resource that model R is guaranteed to supply in any time interval of length t Easwaran et al. (2007). We can define the supply bound function of R, accordingly with the above definition. Definition 1. The supply bound function (sbfR (t)) of an arbitrary supply R expressed as a set of intervals is: ⎧ j � ⎪ ⎪ ⎪ ⎪ ⎪ (ei − si ) + t − ej if ∃j/t ∈ [sj , ej ], ⎪ ⎨ i=0 sbfR (t) =
⎪ j ⎪ � ⎪ ⎪ ⎪ ⎪ ⎩ (ei − si ) i=0
(1)
If tasks are simultaneously activated at time t = 0 (i.e. φi = 0 for all the tasks so the task set is synchronous), then: Definition 2. Baruah et al. (1990) The maximum cumulative execution time requested by jobs of τ whose absolute deadlines are less than equal to t is: � � n � t + Ti − Di (3) Ci dbfτ (t) = Ti i=1 It is a positive and increasing function that only increases in the so-called scheduling points i.e., when a deadline arrives. The minimum supply bound function (msbfτ (t)) is the more restrictive set of temporal windows that can successfully schedule τ . Next results will show how the first two intervals of the function are obtained and, then, msbfτ (t) will be generalized. Theorem 1. Let t1 ∈ N so that: t1 − dbfτ (t1 ) = min(t − dbfτ (t)) t − t1 + dbfτ (t1 ) 0
�
τn+1
Cn+1 = t1 − dbfτ (t1 )
Dn+1 = t1 − dbfτ (t1 ) Tn+1 = lcmτ
To prove schedulability of τ , the condition dbfτ (t) ≤ t must be complied in all the scheduling points within [0, t1 ]. Let’s suppose that a is a scheduling point in [0, t1 ]. If a < Dn+1 , obviously dbfτ (a) = dbfτ (a) ≤ a. If a ≥ Dn+1 , the demand bound function of the new task set τ is: dbfτ (a) = dbfτ (a) + Cn+1 = dbfτ (a) + t1 − dbfτ (t1 ) As t1 − dbfτ (t1 ) = min(t − dbfτ (t)) then
∀t ∈ (0, lcmτ ]
t1 − dbfτ (t1 ) ≤ (a − dbfτ (a)) So,
The goal of this section is to determine the minimum CPU supply for a task set τ while maintaining feasibility. For that, we will base our method in the demand bound function for a task set.
�
where
(2)
3. MINIMUM CPU SUPPLY FOR A TASK SET
msbfτ (t) =
τ = τ
t
A basic schedulability condition is: ∀t sbfR (t) ≤ t
Then,
Let
if ∃j/ej < t < sj+1 .
Then, a CPU supply R can be characterized either by a set of intervals Ii or by its sbfR (t).
t
Proof. The proof will be based on adding a new task τn+1 . This task could only be executed when τ is not, that is, in [0, t1 − dbfτ (t1 )) and we will demonstrate that the new set is schedulable. Then, the computation time of τn+1 will be increased in order to check that the new set is not schedulable.
(4)
if t ∈ [t1 − dbfτ (t1 ), t1 ], if t ∈ [0, t1 − dbfτ (t1 )). (5) 266
dbfτ (a) ≤ dbfτ (a) + a − dbfτ (a) ≤a Now, let’s suppose τ = τ and
�
τn+1
Cn+1 = t1 − dbfτ (t1 ) + �
Dn+1 = t1 − dbfτ (t1 ) + � Tn+1 = lcmτ
being � a small positive number such that 0 < � ≤ 1.
Following the same reasoning:
dbfτ (t1 ) = dbfτ (t1 ) + t1 − dbfτ (t1 ) + � = t1 + � so τ is not schedulable. As a result of the previous theorem, msbfτ (t) until t1 , expressed as a set of intervals, is msbfτ (t) = I0 = [t1 − dbfτ (t1 ), t1 ]. Using a similar approach we will derive the next interval. Lemma 1. Let t2 ∈ N, t1 < t2 so that: t2 − dbfτ (t2 ) = min(t − dbfτ (t)) t
Then
∀t ∈ (t1 , lcmτ ]
(6)
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
msbfτ (t) =
⎧ t − t1 + dbfτ (t1 ) if t ∈ [t1 − dbfτ (t1 ), t1 ], ⎪ ⎪ ⎪ ⎪ dbfτ (t1 ) if t ∈ (t1 , ⎪ ⎪ ⎨
t2 − dbfτ (t2 ) + dbfτ (t1 ))
t − t2 + dbfτ (t2 ) if t ∈ [t2 − dbfτ (t2 ) ⎪ ⎪ ⎪ ⎪ +dbfτ (t1 ), t2 ], ⎪ ⎪ ⎩
267
(7)
if t ∈ [0, t1 ).
0
Proof.
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Schedulability in [0, t1 ] is assured due to Theorem 1. Following the same reasoning than Theorem 1, we are going to add a task whose computation time coincides with the idle time between I0 and SI1 and its deadline is equal to the start time of I1 (s1 ). Let
τ� = τ
where
�
τn+1
�
τn+2
Cn+1 = t1 − dbfτ (t1 ) Dn+1 = t1 − dbfτ (t1 ) Tn+1 = lcmτ Cn+2 = t2 − dbfτ (t2 ) + dbfτ (t1 ) − t1 Dn+2 = t2 − dbfτ (t2 ) + dbfτ (t1 ) Tn+2 = lcmτ Let’s suppose that a is a scheduling point in (t1 , t2 ]. If a < Dn+2 , then dbfτ (a) = dbfτ (a), so the new task set is schedulable. If a ≥ Dn+2 , following the same reasoning than in Theorem 1, the computation time of τn+1 and τn+2 is added to sbfτ (t):
i=0
Theorem 1 and Lemma 1 provide a method to obtain the first two intervals of msbfτ (t) function. Figure 1 shows graphically how the function is obtained. It is straightforward to recursively construct all the minimum supply slots needed by τ to maintain feasibility: finding tj points in where it holds that tj − dbfτ (tj ) is the minimum value in (tj−1 , lcmτ ]. We will call this points the minimum scheduling points tj . Therefore, the msbfτ (t) is defined as in definition 2 but now we can give specific values to sj and ej :
i=0
+t2 − t2 + dbfτ (t2 ) − dbf (t1 ) + ... j �
t2 − dbfτ (t2 ) ≤ (a − dbfτ (a))
⎪ ⎪ j ⎪ � ⎪ ⎪ ⎪ (ei − si ) ⎩
(ei − si ) = t1 − t1 + dbfτ (t1 ) − dbf (t0 )+
Assuming that t0 = 0 and dbfτ (0) = 0:
dbfτ (a) ≤ dbfτ (a) + a − dbfτ (a) ≤a
msbfτ (t) =
Replacing the values of sj and ej in the previous definition, it results:
i=0
As,
⎧ j � ⎪ ⎪ ⎪ (ei − si ) + t − ej ⎪ ⎪ ⎪ ⎨ i=0
where sj = tj − dbfτ (tj ) + dbf (tj−1 ) and ej = tj .
j �
dbfτ (a) = dbfτ (a) + t1 − dbfτ (t1 )+ + t2 − dbfτ (t2 ) + dbfτ (t1 ) − t1 = dbfτ (a) + t2 − dbfτ (t2 )
then
Fig. 1. Calculation of msbfτ (t) in [0, t2 ]
(ei − si ) = dbfτ (tj )
Therefore, we can provide a more compact definition for msbfτ (t): ⎧ ⎨t − tj + dbfτ (tj ) if ∃j/t ∈ [sj , ej ], (9) msbfτ (t) = ⎩ dbfτ (tj ) if ∃j/ej < t < sj+1 .
The previous function is obtained from the dbfτ (t) in definition 2, particularized for synchronized tasks. If we assume the possibility of asynchronism (i.e., exists any φi �= 0) between tasks, another function dbfτ (t) must be defined. 4. SCHEDULABILITY ANALYSIS
if ∃j/t ∈ [sj , ej ],
Once msbfτ (t) is obtained, the following theorem provides the schedulability condition of {τ, R}. Theorem 2. A task set τ is schedulable under a CPU supply R if and only if:
if ∃j/ej < t < sj+1 . (8) 267
∀t
sbfR (t) = msbfτ (t)
(10)
CESCIT 2015 268 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Proof.
provided by Balbastre et al. (2009). Lipari and Bini (2005) provide a kind of sensitivity analysis of the global level for a two-level hierarchical system, providing a methodology for calculating the domain parameters that makes the task set feasible. Lorente and Palencia (2006) presented a worst-case response time analysis for the tasks in a two level hierarchical EDF systems.
We will prove that for any time point a : msbfτ (a) ≥ dbfτ (a) ≥ ∀a ∈ [0, lcmτ ] We will suppose two cases: • Case 1: a ∈ / [sj , ej ]. • Case 2: a ∈ [sj , ej ].
6. CONCLUSIONS
Case 1: If a ∈ / [sj , ej ], then ∃j so ej < a < sj+1 . Applying the second case in the msbfτ (t) definition: msbfτ (a) = dbfτ (a) Case 2: If a ∈ [sj , ej ], applying the first case of the msbf definition: msbfτ (a) = a − tj + dbfτ (tj ) As dbfτ (t) is a positive and monotonic increasing function it holds that Ripoll et al. (1996): If a ≤ tj then dbfτ (a) ≤ dbfτ (tj )
And, as τ is schedulable then dbfτ (tj ) − tj ≤ 0. Therefore:
msbfτ (a) ≥ dbfτ (a) − dbfτ (tj ) − tj ≥ dbfτ (a) In any case: msbfτ (a) ≥ dbfτ (a). 5. RELATED WORK In a partitioned architecture, partitions can be viewed as components that consist of a real-time workload and a scheduling policy for the workload. This definition coincides with a compositional system hierarchically organized. Different works in compositional scheduling have been proposed for a variety of real-time task models (Marimuthu and Chakraborty (2006); Lipari and Bini (2003); Shin and Lee (2003); Easwaran et al. (2007)). Hierarchical scheduling has been a topic of research interest in recent years. One of the first works on this area is the one presented by Deng and Liu (1997), based on a two-level real-time scheduling framework. Kuo and Li (1998) presented an exact schedulability condition for this framework assuming fixed priority pre-emptive scheduling. Lipari and Baruah (2000) presented a similar work with EDF. Saewong et al. (2002) provided a response time analysis for fixed-priority hierarchical systems. This analysis was pessimistic as it was showed by Davis and Burns (2005). However, Davis and Burns gave an exact response time calculation only for the partition with the highest priority. Almeida and Pedreiras (2004) improved the analysis by Saewong et al. but, again it was not an exact analysis. In Bril et al. (2006), Bril et al. show that the worst case response time of a task is not necessarily assumed for the first job with the conditions of critical instant provided by Davis and Burns. They claim that the existing analysis could be improved but they do not provide an alternative analysis. The exact response time was 268
This paper has considered the case of a two level hierarchical real-time system, where tasks in the local level are scheduled under EDF policy but the global level does not follow a known scheduling policy but the only information is provided as a set of CPU slots. The contribution of this paper is the calculation of the more restrictive sequence of slots (minimum supply bound function) of a task set in the local level. It also provides a non-schedulability condition of a task set in some arbitrary CPU slots. moreover, our model can also be used with any existing server in the global level, however our model is a generalization of any scheduling in the global level. Although we initially apply our results to static scheduling, further work will be focused on providing on-line algorithms to calculate msbfτ (t) in a specific window. This could be specially useful in flexible environments, where even if the scheduling algorithm is known a priori, jitter or latencies makes the final slots execution difficult to predict. Actions for future work are related to checking the schedulability of a task set, given a certain arbitrary sequence of CPU slots, by comparison with the minimum supply bound function. Improvements in the msbfτ (t) calculation are also foreseen. The proposed algorithm needs all the hyperperiod space to be exact but we expect to dramatically reduce the calculation cost by obtaining an upper bound for msbfτ (t). REFERENCES (2011-13). IMA-SP Integrated Modular Avionics for Space. ESA project 4000100764. Almeida, L. and Pedreiras, P. (2004). Scheduling within temporal partitions: response-time analysis and server design. In Fourth ACM International Conference on Embedded Software (EMSOFT). Avionics Application Software Standard Interface (ARINC-653) (2006). Avionics Application Software Standard Interface. Airlines Electronic Eng. Committee. Balbastre, P., Ripoll, I., and Crespo, A. (2009). Exact response time analysis of hierarchical fixed-priority scheduling. In 15th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2009. RTCSA ’09., 315–320. doi: 10.1109/RTCSA.2009.40. Baruah, S., Mok, A., and Rosier, L. (1990). Preemptively scheduling hard real-time sporadic tasks on one processor. In IEEE Real-Time Systems Symposium, 182–190. Bril, R.J., Verhaegh, W.F.J., and Wust, C.C. (2006). A cognac-glass algorithm for conditionally guaranteed budgets. In IEEE Real-Time Systems Symposium. Davis, R.I. and Burns, A. (2005). Hierarchical fixed priority pre-emptive scheduling. In IEEE Real-Time Systems Symposium.
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Deng, Z. and Liu, J.W.S. (1997). Scheduling real-time applications in an open environment. In IEEE RealTime Systems Symposium. Easwaran, A., Lee, I., Shin, I., and Sokolsky, O. (2007). Compositional schedulability analysis of hierarchical real-time systems. In ISORC, 274–281. IMA-SP. Integrated Modular Avionics for Space (2011-13). IMA Development Process, Roles and Tools. IMA-SP D08-11. Kuo, T.W. and Li, C.H. (1998). A fixed priority driven open environment for real-time applications. In IEEE Real-Time Systems Symposium. Lipari, G. and Baruah, S. (2000). Efficient scheduling of real-time multi-task applications in dynamic systems. In IEEE Real-Time Tecnology and Applications Symposium. Lipari, G. and Bini, E. (2003). Resource partitioning among real-time applications. In Real-Time Systems, 2003. Proceedings. 15th Euromicro Conference on, 151– 158. doi:10.1109/EMRTS.2003.1212738. Lipari, G. and Bini, E. (2005). A methodology for designing hierarchical scheduling systems. Journal of Embedded Computing, 1(2), 257–269. Lorente, J. and Palencia, J. (2006). An edf hierarchical scheduling model for bandwidth servers. In Proceedings. 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2006., 261–266. doi:10.1109/RTCSA.2006.13. Marimuthu, S. and Chakraborty, S. (2006). A framework for compositional and hierarchical real-time scheduling. In 12th IEEE Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 91 –96. doi:10.1109/RTCSA.2006.7. Ripoll, I., Crespo, A., and Mok, A. (1996). Improvement in feasibility testing for real-time tasks. Journal of RealTime Systems, 11, 19–40. Saewong, S., Rajkumar, R., and Lehoczky, J. (2002). Analysis of hierarchical fixed-priority scheduling. In Euromicro Conference on Real-Time Systems. Shin, I. and Lee, I. (2003). Periodic resource model for compositional real-time guarantees. In Real-Time Systems Symposium, 2003. RTSS 2003. 24th IEEE, 2– 13. doi:10.1109/REAL.2003.1253249. Windsor, J. and Hjortnaes, K. (2009). Time and space partitioning in spacecraft avionics. In IEEE Conference on Space Mission Challenges for Information Technology. Zhang, F. and Burns, A. (2007). Analysis of hierarchical edf pre-emptive scheduling. In 28th IEEE International Real-Time Systems Symposium, 2007. RTSS 2007., 423– 434. doi:10.1109/RTSS.2007.12.
269
269
ScienceDirect
IFAC-PapersOnLine 48-10 (2015) 264–269
Schedulability Analysis of Hierarchical Schedulability Analysis of Hierarchical Schedulability Analysis of Schedulability AnalysisScheduling of Hierarchical Hierarchical Systems with Arbitrary in the Systems with Arbitrary Scheduling in the Systems with Arbitrary Scheduling in the Systems with Arbitrary Scheduling in the Global Level Global Level Global Level Level Global
∗∗∗ Balbastre Patricia ∗∗ ∗∗ Brocal Vicent ∗∗∗ Balbastre Patricia ∗∗ Brocal Vicent ∗∗∗ ∗∗∗∗ ∗∗ Brocal Vicent ∗∗∗ Balbastre Patricia Crespo Alfons ∗∗∗∗ Balbastre Patricia Brocal Vicent Crespo Alfons ∗∗∗∗ Crespo Crespo Alfons Alfons ∗∗∗∗ ∗ ∗ Institute of Control Systems and Industrial Computing (ai2), ∗ Institute of Control Systems and Industrial Computing (ai2), ∗ Institute of Systems and Industrial Valencia, Spain (e-mail: Institute of Control Control Systems [email protected]). Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail: [email protected]). ∗∗ Valencia, Spain (e-mail: [email protected]). Institute of Control Systems and Industrial Computing (ai2), ∗∗ Valencia, Spain (e-mail: [email protected]). ∗∗ Institute of Control Systems and Industrial Computing (ai2), ∗∗ Institute of Systems and Industrial Valencia, Spain (e-mail: Institute of Control Control Systems [email protected]) Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail: [email protected]) ∗∗∗ Valencia, Spain (e-mail: [email protected]) Innovative Software Solutions (FentISS) (e-mail: ∗∗∗ Fent Valencia, Spain (e-mail: [email protected]) ∗∗∗ Fent Innovative Software Solutions (FentISS) (e-mail: ∗∗∗ Fent [email protected]) Software Fent [email protected]) Software Solutions Solutions (FentISS) (FentISS) (e-mail: (e-mail: ∗∗∗∗ [email protected]) Institute of Control Systems and Industrial Computing (ai2), ∗∗∗∗ [email protected]) ∗∗∗∗ Institute of Control Systems and Industrial Computing (ai2), ∗∗∗∗ Institute of Systems Industrial Valencia, Spain (e-mail:and [email protected]) Institute of Control Control Systems Industrial Computing Computing (ai2), (ai2), Valencia, Spain (e-mail:and [email protected]) Valencia, Valencia, Spain Spain (e-mail: (e-mail: [email protected]) [email protected]) Abstract: Schedulability analysis of hierarchical real-time systems is based in the previous Abstract: Schedulability analysis of hierarchical real-time systems is based in the previous Abstract: of is based knowledge ofSchedulability the schedulinganalysis algorithms both in thereal-time local and systems the global Abstract: Schedulability analysis of hierarchical hierarchical real-time systems is levels. based in in the the previous previous knowledge of the scheduling algorithms both in the local and the global levels. knowledge of the scheduling in the local and the global levels. In a partitioned system withalgorithms safety andboth security issues and certification assurance levels, the knowledge of the scheduling algorithms both in the local and the global levels. In a partitioned system with safety and security issues and certification assurance levels, the In a with safety and assurance levels, the global scheduling system is usually generated usingsecurity a static issues table. Therefore, each partition must allocate In a partitioned partitioned system with safety and and security issues and certification certification assurance levels, the global scheduling is usually generated using a static table. Therefore, each partition must allocate globaljobs scheduling is usually usually generated using a static staticfor table. Therefore, each partition musttable allocate task only in the temporal windows reserved thatTherefore, partition. each Evenpartition if the static can global scheduling is generated using a table. must allocate task jobs only in the temporal windows reserved for that partition. Even if the static table can task jobs only the for Even the table can come originally a periodicwindows server orreserved other scheduling policy, the finalif can suffer task jobs only in infrom the temporal temporal windows reserved for that that partition. partition. Even ifplan the static static tablefrom can come originally from a periodic server or other scheduling policy, the final plan can suffer from come originally from a periodic server or other scheduling policy, the final plan can suffer from modifications due to changes in the system requirements. As a consequence, the CPU assignment come originally from a periodic server or other scheduling policy, the final plan can suffer from modifications due to changes in the system requirements. As aa consequence, the CPU assignment modifications changes system the CPU assignment to a partition due doesto have in to the correspond to any knownAs In this case, is not possible modifications due tonot changes in the system requirements. requirements. Aspolicy. a consequence, consequence, the it CPU assignment to a partition does not have to correspond to any known policy. In this case, it is not possible to a partition does not have to correspond to any known policy. In this case, it is not possible use existing does scheduling analysis for hierarchical systems. This paper provides aisschedulability to a partition not have to correspond to any known policy. In this case, it not possible to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability analysis when the global level policy is not known but provided as a set of arbitrary time to use existing scheduling analysis for hierarchical systems. This paper provides a schedulability analysis when the global level policy is not known but provided as aa set of arbitrary time analysis when the global level policy is not known but provided as set of arbitrary time windows. The paper also provides a method to determine the more restrictive CPU assignment analysis when the global level policy is nottoknown but the provided as a set ofCPU arbitrary time windows. The paper also provides a method determine more restrictive assignment windows. The paper also provides a method to determine the more restrictive CPU assignment for a task set, as a mean of stablishing minimum temporal requirements for the partition. windows. The paper also of provides a method to determine the more restrictive CPU assignment for a task set, as a mean stablishing minimum temporal requirements for the partition. for a set, as stablishing minimum temporal requirements for the partition. for a task task set,(International as a a mean mean of of stablishing minimumControl) temporal requirements © 2015, IFAC Federation of Automatic Hosting by Elsevier for Ltd.the Allpartition. rights reserved. Keywords: Partitioned embedded systems; Real-time algorithms, scheduling, schedulability, Keywords: Partitioned Partitioned embedded embedded systems; systems; Real-time Real-time algorithms, Keywords: algorithms, scheduling, scheduling, schedulability, schedulability, temporal time analysis. Keywords:predictability, Partitioned embedded systems; Real-time algorithms, scheduling, schedulability, temporal predictability, time analysis. analysis. temporal predictability, time temporal predictability, time analysis. 1. INTRODUCTION For the last decade, the European space sector has adapted 1. INTRODUCTION INTRODUCTION For the the last last decade, decade, the the European European space space sector sector has has adapted 1. For the approach for the space for the 1. INTRODUCTION For initial the lastIMA decade, the European spacerequirements sector has adapted adapted the initial IMA approach for the the space space requirements for the the the initial IMA approach for requirements for new satellite generation (Windsor and Hjortnaes (2009)). the initial IMA approach for the space requirements for the In the last years, modern computing systems have in- new satellite generation (Windsor and Hjortnaes (2009)). In the the last last years, years, modern modern computing computing systems systems have have inin- new satellite (Windsor and Hjortnaes (2009)). The IMA-SPgeneration project was focused mono-processors In new (Windsor andon (2009)). creased its processing capabilities and its computational The satellite IMA-SPgeneration project was was focused onHjortnaes mono-processors In the last years, modern computing systems have in- The creased its processing capabilities and its computational IMA-SP project focused on mono-processors (IMA (2011-13)). The platform defines a virtualization creased its processing capabilities and its computational The IMA-SP project was focused on mono-processors resources in such a way that they are capable of executing (IMA (2011-13)). (2011-13)). The The platform platform defines defines aa virtualization virtualization creased and its computational resourcesitsin inprocessing such aa way waycapabilities that they they are are capable of executing executing (IMA that platform permits the execution of several resources that (IMA (hypervisor) (2011-13)). The defines a virtualization several concurrent real-time applications thatof for- layer layer (hypervisor) that permits permits the the execution of several several resources in such such a way that they are capable capable ofwould executing several concurrent real-time applications that would forlayer (hypervisor) that execution partitions. Each partition can contain a guest of operating several concurrent real-time applications that would forlayer (hypervisor) that permits the execution of several merly have required several embedded systems. Scheduling partitions. Each partition can contain a guest operating several concurrent real-time applications that would formerly have have required required several several embedded embedded systems. systems. Scheduling Scheduling partitions. partition can contain aa guest operating system andEach the application software. The hypervisor is merly partitions. Each partition can contain guest operating different real-time applications in a mono-processor not system and and the the application application software. software. The The hypervisor hypervisor is is merly have requiredapplications several embedded systems. Scheduling different real-time in a mono-processor not system in charge of assuring temporal and spatial isolation of different real-time in aa also mono-processor not system andof the application software. The hypervisor is only achieves a costapplications reduction but offers the possiin charge charge assuring temporal and spatial isolation of different real-time applications in it mono-processor not in only achieves a cost reduction but it also offers the possipartitions. only achieves aa cost reduction but it also offers the possiin charge of of assuring assuring temporal temporal and and spatial spatial isolation isolation of of bility of performance enhancement and closer integration partitions. only achieves cost reduction but it also offers the possibility of of performance performance enhancement enhancement and and closer closer integration integration partitions. bility partitions. of distinct applications. See Zhang and bility of performance enhancement and Burns closer (2007). integration An IMA development process involves several roles as: of distinct applications. See Zhang and Burns (2007). An IMA IMA development development process process involves involves several several roles roles as: as: of distinct applications. See Zhang and Burns (2007). An of distinct applications. See Zhang and Burns (2007). An development involves several roles as: to In many domains such as avionics, space or industrial (1)IMA System Architect process (SA): The SA has responsibility In many domains such as avionics, space or industrial (1) System System Architect Architect (SA): (SA): The The SA SA has has responsibility to to In many domains such as space industrial control constraints, and (1) In manysystems, domainshard suchreal-time as avionics, avionics, space or orsafety industrial overall (SA): system requirements and the sys(1) define Systemthe Architect The SA has responsibility responsibility to control systems, hard real-time constraints, safety and define the overall system requirements and the syscontrol systems, hard real-time constraints, safety and security issues and certification assurance levels are comdefine the overall system requirements and the syscontrol systems, hard real-timeassurance constraints, safety and tem design, including the optimal decomposition into define the overall system requirements and the syssecurity issues and certification levels are comtem design, including the optimal decomposition into security issues certification assurance levels are monly required. Integrated Modular Avionics (IMA) was tem design, including the into security issues and and certification assurance levels are comcomhosted partitions jointly with thedecomposition detailed resource tem design, including the optimal optimal into monly required. required. Integrated Modular Avionics (IMA) was hosted partitions jointly with the thedecomposition detailed resource resource monly Integrated Modular an architectural proposal emerged as Avionics a design (IMA) conceptwas to hosted partitions jointly with detailed monly required. Integrated Modular Avionics (IMA) was allocation per partition. hosted partitions jointly with the detailed resource an architectural proposal emerged as a design concept to allocation per per partition. partition. an architectural proposal emerged as concept to integrate in a hardware platform several applications with an architectural proposal emerged as aa design design concept to (2) allocation System Integrator (SI): The SI is responsible for allocation per partition. integrate in aa hardware hardware platform several applications with (2) System Integrator (SI): The The SI SI is is responsible responsible for for integrate in platform several applications with different levels of criticality. IMA approach proposes to (2) System Integrator (SI): integrate in a hardware platform several applications with verifying the feasibility ofThe the SI system requirements (2) System Integrator (SI): is responsible for different levels of criticality. IMA approach proposes to verifying the feasibility of the system requirements different levels of IMA proposes to encapsulate functions into partitions configuring a partiverifying feasibility requirements different levels of criticality. criticality. IMA approach approach proposes to defined bythe the SA, as of wellthe assystem responsible for the verifying the feasibility of the system requirements encapsulate functions into partitions configuring a partidefined by by the the SA, SA, as as well well as responsible responsible for for the the encapsulate functions into configuring aa partitioned system. Partitioned architectures isolate software defined encapsulate functions into partitions partitions configuring particonfiguration andSA, integration of all components. defined by the as well as as responsible for the tioned system. system. Partitioned architectures isolate software software configuration and integration of all components. tioned Partitioned architectures isolate components into independent partitions whose execution and of all tioned system. architectures isolateexecution software (3) configuration Application (AS): An is responsible for configurationSuppliers and integration integration of AS all components. components. components intoPartitioned independent partitions whose whose (3) Application Application Suppliers (AS): An An AS is responsible responsible for for components into shall not interfere with that ofpartitions other partitions, preserv(3) Suppliers AS is components into independent independent partitions whose execution execution the development of an(AS): application according to the (3) Application Suppliers (AS): An AS is responsible for shall not interfere with that of other partitions, preservthe development of an application according to the shall not with of partitions, preserving temporal and spatial isolation. Several projects have the development of an application the shall not interfere interfere with that that of other other partitions, preservoverall requirements from the SA andaccording the SI. ASto shall the development of an application according to the ing temporal and spatial isolation. Several projects have overall requirements requirements from from the the SA SA and the the SI. SI. AS AS shall shall ing temporal and isolation. Several projects have successfully using this approach the avionic overall ing temporaldeveloped and spatial spatial isolation. Several in projects have verify that the allocated safety parameoverall requirements from budget the SA and and the SI. AS shall successfully developed using this approach approach in the avionic avionic verify that the allocated budget and safety paramesuccessfully developed using this in the market. verify that the allocated budget and safety paramesuccessfully developed using this approach in the avionic verify that the allocated budget and safety paramemarket. market. market.
Guasque Guasque Guasque Guasque
Ana ∗∗ Ana ∗ Ana Ana ∗
Copyright©©2015, 2015 IFAC (International Federation of Automatic Control) 264 Hosting by Elsevier Ltd. All rights reserved. 2405-8963 Copyright © 2015IFAC IFAC 264 Copyright 2015 IFAC 264 Peer review© of International Federation of Automatic Copyright ©under 2015responsibility IFAC 264Control. 10.1016/j.ifacol.2015.08.142
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
ters are respected. Assuming that each application is located in a partition and a partition can have only one application, an AS can also be called Partition Developer (PD). There are other roles in the process but due to space restrictions we only detail those interesting for the purpose of the paper. For a complete description of the main roles and responsibilities see (IMA-SP. Integrated Modular Avionics for Space (2011-13)). A key element in the development process and the final execution is the configuration of the system defined by the SA, which includes the components description and the resource allocation. This is identified as configuration data or configuration file. In order to preserve the confidentiality of the developing process, a configuration data is split and delivered to each PD with the required information for the application development. Regarding the allocation of temporal resources, the SI is responsible for CPU allocation to applications while the PD shall manage the time budget assigned to its tasks by the SI. Then, a partition does not have all the time assigned to schedule its tasks, but only certain slots throughout the hyper-period. To satisfy the temporal resource requirements of the partition, the system must supply sufficient computational resources. The list of assigned slots is provided by the SI, that is in charge of assuring the feasibility in the global level. Thus, PD’s give to the SI its temporal requirements, normally in the form of CPU bandwidth. The SI calculates and assigns this bandwidth to partitions using a well known bandwidth server or it can assign it using a cyclic scheduling. ARINC 653 standard (Avionics Application Software Standard Interface (ARINC-653) (2006)) defines a hierarchical scheduling where a static cyclic executive scheduler is used in the global level. If the assignment is made using a bandwidth algorithm, the corresponding feasibility tests are available in the literature so the PD can apply them to know if its tasks are schedulable with this slots assignment (see section 5). On the contrary, if the assignment is made by the SI in an arbitrary way (i.e. not following any existing scheduling algorithm) the authors are not aware of any paper that addresses and solves this problem. Moreover, schedulability tests for hierarchical systems are based on calculating the worst case response time of tasks in the local level and adding the worst case overhead due to the global level. But, if the scheduling policy is not known in the global level, existing schedulability tests can not apply. Our aim is to generalized the global level model characterizing it by a slots assignment (arbitrary CPU supply as we will comment later). 1.1 Contributions and outline The problem to be addressed is concerned with the schedulability of a hierarchical system composed of two levels. The global level policy is not known but provided by the SI as a set of arbitrary time slots. By arbitrary we understand that are not derived from any known scheduling algorithm 265
265
in the global level. We provide a schedulability analysis so the PD can accept the slots assignment. In the local level, we will assume EDF. Obviously, our results can be used even if the scheduling algorithm in the global level is known. The results presented in this paper are also useful in the other direction. This paper provides a method to determine the more restrictive assignment slots for a task set, as a mean of minimum requirements that the SI assignment must meet. If the global level policy is known and based on a periodic server, our contributions will provide an alternative way of deducing the solution space for the server parameters. The paper is organized as follows: Section 2 presents the model and notation used, while in section 3 the calculation of the minimum supply bound function is explained. The schedulability test is presented in section 4. Section 5 presents the most important works in the field of hierarchical scheduling. Finally, section 6 summarizes the contributions of the paper and future lines of work. 2. SYSTEM MODEL AND NOTATION Our model is concerned with the pre-emptive scheduling of real-time applications on an uniprocessor. Each application consists of a number of partitions P1 , .., Pm . Each partition comprises a number of tasks. Thus, our hierarchical system has two levels, the partition (or global) level and the task (or local) level, each of them with its own scheduling policy. In this work, we will assume that the local level is scheduled under EDF scheduling policy and the global level is scheduled under any scheduler. Global scheduling information is provided as temporal windows or slots, in which a partition is allowed to execute. From now on, the sub index used to refer to a partition will be omitted to simplify the notation. Therefore, a partition P can be defined 1 in a formal way as a tuple P = {τ, R} where: (1) τ = {τ1 , τ2 , .., τn } is a set of n tasks. A task τi is characterized by a tuple τi = {φi , Ci , Di , Ti } where φi is the offset, Ci is the worst case computation time, Di is the relative deadline and Ti is the period. When all parameters to the system are integers, we may assume without loss of generality that all preemptions occur at integer time values. We then assume, for the remainder of the paper, that all parameters are indeed integers. Moreover, constrained deadlines are assumed so Di ≤ Ti . (2) An arbitrary CPU supply, R, is represented by a sequence of p intervals I1 , I2 , ..., Ip . Every Ii / 1 ≤ i ≤ p is a closed interval Ii = [si , ei ] repited every lcmτ 2 , so that 0 ≤ si < ei < si+1 and ep ≤ lcmτ . Therefore, ∀t exists a unique interval Ii so that si ≤ t ≤ ei . The CPU supply R for a partition determines the p temporal slots in which tasks allocated to the partition are allowed to execute. 1 In the definition of the partition we omit all non-temporal resources 2 Least Common Multiple of T , .., T n 1
CESCIT 2015 266 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
The problem to solve is concerned with the schedulability of the partition, that is, if task set τ can be scheduled without deadline misses in the slots defined by R. 2.1 Supply bound function Although we have characterized R as a set of intervals, it can also be defined as a function. Given a CPU supply R and interval of length t, the supply bound function gives the minimum amount of resource that model R is guaranteed to supply in any time interval of length t Easwaran et al. (2007). We can define the supply bound function of R, accordingly with the above definition. Definition 1. The supply bound function (sbfR (t)) of an arbitrary supply R expressed as a set of intervals is: ⎧ j � ⎪ ⎪ ⎪ ⎪ ⎪ (ei − si ) + t − ej if ∃j/t ∈ [sj , ej ], ⎪ ⎨ i=0 sbfR (t) =
⎪ j ⎪ � ⎪ ⎪ ⎪ ⎪ ⎩ (ei − si ) i=0
(1)
If tasks are simultaneously activated at time t = 0 (i.e. φi = 0 for all the tasks so the task set is synchronous), then: Definition 2. Baruah et al. (1990) The maximum cumulative execution time requested by jobs of τ whose absolute deadlines are less than equal to t is: � � n � t + Ti − Di (3) Ci dbfτ (t) = Ti i=1 It is a positive and increasing function that only increases in the so-called scheduling points i.e., when a deadline arrives. The minimum supply bound function (msbfτ (t)) is the more restrictive set of temporal windows that can successfully schedule τ . Next results will show how the first two intervals of the function are obtained and, then, msbfτ (t) will be generalized. Theorem 1. Let t1 ∈ N so that: t1 − dbfτ (t1 ) = min(t − dbfτ (t)) t − t1 + dbfτ (t1 ) 0
�
τn+1
Cn+1 = t1 − dbfτ (t1 )
Dn+1 = t1 − dbfτ (t1 ) Tn+1 = lcmτ
To prove schedulability of τ , the condition dbfτ (t) ≤ t must be complied in all the scheduling points within [0, t1 ]. Let’s suppose that a is a scheduling point in [0, t1 ]. If a < Dn+1 , obviously dbfτ (a) = dbfτ (a) ≤ a. If a ≥ Dn+1 , the demand bound function of the new task set τ is: dbfτ (a) = dbfτ (a) + Cn+1 = dbfτ (a) + t1 − dbfτ (t1 ) As t1 − dbfτ (t1 ) = min(t − dbfτ (t)) then
∀t ∈ (0, lcmτ ]
t1 − dbfτ (t1 ) ≤ (a − dbfτ (a)) So,
The goal of this section is to determine the minimum CPU supply for a task set τ while maintaining feasibility. For that, we will base our method in the demand bound function for a task set.
�
where
(2)
3. MINIMUM CPU SUPPLY FOR A TASK SET
msbfτ (t) =
τ = τ
t
A basic schedulability condition is: ∀t sbfR (t) ≤ t
Then,
Let
if ∃j/ej < t < sj+1 .
Then, a CPU supply R can be characterized either by a set of intervals Ii or by its sbfR (t).
t
Proof. The proof will be based on adding a new task τn+1 . This task could only be executed when τ is not, that is, in [0, t1 − dbfτ (t1 )) and we will demonstrate that the new set is schedulable. Then, the computation time of τn+1 will be increased in order to check that the new set is not schedulable.
(4)
if t ∈ [t1 − dbfτ (t1 ), t1 ], if t ∈ [0, t1 − dbfτ (t1 )). (5) 266
dbfτ (a) ≤ dbfτ (a) + a − dbfτ (a) ≤a Now, let’s suppose τ = τ and
�
τn+1
Cn+1 = t1 − dbfτ (t1 ) + �
Dn+1 = t1 − dbfτ (t1 ) + � Tn+1 = lcmτ
being � a small positive number such that 0 < � ≤ 1.
Following the same reasoning:
dbfτ (t1 ) = dbfτ (t1 ) + t1 − dbfτ (t1 ) + � = t1 + � so τ is not schedulable. As a result of the previous theorem, msbfτ (t) until t1 , expressed as a set of intervals, is msbfτ (t) = I0 = [t1 − dbfτ (t1 ), t1 ]. Using a similar approach we will derive the next interval. Lemma 1. Let t2 ∈ N, t1 < t2 so that: t2 − dbfτ (t2 ) = min(t − dbfτ (t)) t
Then
∀t ∈ (t1 , lcmτ ]
(6)
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
msbfτ (t) =
⎧ t − t1 + dbfτ (t1 ) if t ∈ [t1 − dbfτ (t1 ), t1 ], ⎪ ⎪ ⎪ ⎪ dbfτ (t1 ) if t ∈ (t1 , ⎪ ⎪ ⎨
t2 − dbfτ (t2 ) + dbfτ (t1 ))
t − t2 + dbfτ (t2 ) if t ∈ [t2 − dbfτ (t2 ) ⎪ ⎪ ⎪ ⎪ +dbfτ (t1 ), t2 ], ⎪ ⎪ ⎩
267
(7)
if t ∈ [0, t1 ).
0
Proof.
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Schedulability in [0, t1 ] is assured due to Theorem 1. Following the same reasoning than Theorem 1, we are going to add a task whose computation time coincides with the idle time between I0 and SI1 and its deadline is equal to the start time of I1 (s1 ). Let
τ� = τ
where
�
τn+1
�
τn+2
Cn+1 = t1 − dbfτ (t1 ) Dn+1 = t1 − dbfτ (t1 ) Tn+1 = lcmτ Cn+2 = t2 − dbfτ (t2 ) + dbfτ (t1 ) − t1 Dn+2 = t2 − dbfτ (t2 ) + dbfτ (t1 ) Tn+2 = lcmτ Let’s suppose that a is a scheduling point in (t1 , t2 ]. If a < Dn+2 , then dbfτ (a) = dbfτ (a), so the new task set is schedulable. If a ≥ Dn+2 , following the same reasoning than in Theorem 1, the computation time of τn+1 and τn+2 is added to sbfτ (t):
i=0
Theorem 1 and Lemma 1 provide a method to obtain the first two intervals of msbfτ (t) function. Figure 1 shows graphically how the function is obtained. It is straightforward to recursively construct all the minimum supply slots needed by τ to maintain feasibility: finding tj points in where it holds that tj − dbfτ (tj ) is the minimum value in (tj−1 , lcmτ ]. We will call this points the minimum scheduling points tj . Therefore, the msbfτ (t) is defined as in definition 2 but now we can give specific values to sj and ej :
i=0
+t2 − t2 + dbfτ (t2 ) − dbf (t1 ) + ... j �
t2 − dbfτ (t2 ) ≤ (a − dbfτ (a))
⎪ ⎪ j ⎪ � ⎪ ⎪ ⎪ (ei − si ) ⎩
(ei − si ) = t1 − t1 + dbfτ (t1 ) − dbf (t0 )+
Assuming that t0 = 0 and dbfτ (0) = 0:
dbfτ (a) ≤ dbfτ (a) + a − dbfτ (a) ≤a
msbfτ (t) =
Replacing the values of sj and ej in the previous definition, it results:
i=0
As,
⎧ j � ⎪ ⎪ ⎪ (ei − si ) + t − ej ⎪ ⎪ ⎪ ⎨ i=0
where sj = tj − dbfτ (tj ) + dbf (tj−1 ) and ej = tj .
j �
dbfτ (a) = dbfτ (a) + t1 − dbfτ (t1 )+ + t2 − dbfτ (t2 ) + dbfτ (t1 ) − t1 = dbfτ (a) + t2 − dbfτ (t2 )
then
Fig. 1. Calculation of msbfτ (t) in [0, t2 ]
(ei − si ) = dbfτ (tj )
Therefore, we can provide a more compact definition for msbfτ (t): ⎧ ⎨t − tj + dbfτ (tj ) if ∃j/t ∈ [sj , ej ], (9) msbfτ (t) = ⎩ dbfτ (tj ) if ∃j/ej < t < sj+1 .
The previous function is obtained from the dbfτ (t) in definition 2, particularized for synchronized tasks. If we assume the possibility of asynchronism (i.e., exists any φi �= 0) between tasks, another function dbfτ (t) must be defined. 4. SCHEDULABILITY ANALYSIS
if ∃j/t ∈ [sj , ej ],
Once msbfτ (t) is obtained, the following theorem provides the schedulability condition of {τ, R}. Theorem 2. A task set τ is schedulable under a CPU supply R if and only if:
if ∃j/ej < t < sj+1 . (8) 267
∀t
sbfR (t) = msbfτ (t)
(10)
CESCIT 2015 268 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Proof.
provided by Balbastre et al. (2009). Lipari and Bini (2005) provide a kind of sensitivity analysis of the global level for a two-level hierarchical system, providing a methodology for calculating the domain parameters that makes the task set feasible. Lorente and Palencia (2006) presented a worst-case response time analysis for the tasks in a two level hierarchical EDF systems.
We will prove that for any time point a : msbfτ (a) ≥ dbfτ (a) ≥ ∀a ∈ [0, lcmτ ] We will suppose two cases: • Case 1: a ∈ / [sj , ej ]. • Case 2: a ∈ [sj , ej ].
6. CONCLUSIONS
Case 1: If a ∈ / [sj , ej ], then ∃j so ej < a < sj+1 . Applying the second case in the msbfτ (t) definition: msbfτ (a) = dbfτ (a) Case 2: If a ∈ [sj , ej ], applying the first case of the msbf definition: msbfτ (a) = a − tj + dbfτ (tj ) As dbfτ (t) is a positive and monotonic increasing function it holds that Ripoll et al. (1996): If a ≤ tj then dbfτ (a) ≤ dbfτ (tj )
And, as τ is schedulable then dbfτ (tj ) − tj ≤ 0. Therefore:
msbfτ (a) ≥ dbfτ (a) − dbfτ (tj ) − tj ≥ dbfτ (a) In any case: msbfτ (a) ≥ dbfτ (a). 5. RELATED WORK In a partitioned architecture, partitions can be viewed as components that consist of a real-time workload and a scheduling policy for the workload. This definition coincides with a compositional system hierarchically organized. Different works in compositional scheduling have been proposed for a variety of real-time task models (Marimuthu and Chakraborty (2006); Lipari and Bini (2003); Shin and Lee (2003); Easwaran et al. (2007)). Hierarchical scheduling has been a topic of research interest in recent years. One of the first works on this area is the one presented by Deng and Liu (1997), based on a two-level real-time scheduling framework. Kuo and Li (1998) presented an exact schedulability condition for this framework assuming fixed priority pre-emptive scheduling. Lipari and Baruah (2000) presented a similar work with EDF. Saewong et al. (2002) provided a response time analysis for fixed-priority hierarchical systems. This analysis was pessimistic as it was showed by Davis and Burns (2005). However, Davis and Burns gave an exact response time calculation only for the partition with the highest priority. Almeida and Pedreiras (2004) improved the analysis by Saewong et al. but, again it was not an exact analysis. In Bril et al. (2006), Bril et al. show that the worst case response time of a task is not necessarily assumed for the first job with the conditions of critical instant provided by Davis and Burns. They claim that the existing analysis could be improved but they do not provide an alternative analysis. The exact response time was 268
This paper has considered the case of a two level hierarchical real-time system, where tasks in the local level are scheduled under EDF policy but the global level does not follow a known scheduling policy but the only information is provided as a set of CPU slots. The contribution of this paper is the calculation of the more restrictive sequence of slots (minimum supply bound function) of a task set in the local level. It also provides a non-schedulability condition of a task set in some arbitrary CPU slots. moreover, our model can also be used with any existing server in the global level, however our model is a generalization of any scheduling in the global level. Although we initially apply our results to static scheduling, further work will be focused on providing on-line algorithms to calculate msbfτ (t) in a specific window. This could be specially useful in flexible environments, where even if the scheduling algorithm is known a priori, jitter or latencies makes the final slots execution difficult to predict. Actions for future work are related to checking the schedulability of a task set, given a certain arbitrary sequence of CPU slots, by comparison with the minimum supply bound function. Improvements in the msbfτ (t) calculation are also foreseen. The proposed algorithm needs all the hyperperiod space to be exact but we expect to dramatically reduce the calculation cost by obtaining an upper bound for msbfτ (t). REFERENCES (2011-13). IMA-SP Integrated Modular Avionics for Space. ESA project 4000100764. Almeida, L. and Pedreiras, P. (2004). Scheduling within temporal partitions: response-time analysis and server design. In Fourth ACM International Conference on Embedded Software (EMSOFT). Avionics Application Software Standard Interface (ARINC-653) (2006). Avionics Application Software Standard Interface. Airlines Electronic Eng. Committee. Balbastre, P., Ripoll, I., and Crespo, A. (2009). Exact response time analysis of hierarchical fixed-priority scheduling. In 15th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2009. RTCSA ’09., 315–320. doi: 10.1109/RTCSA.2009.40. Baruah, S., Mok, A., and Rosier, L. (1990). Preemptively scheduling hard real-time sporadic tasks on one processor. In IEEE Real-Time Systems Symposium, 182–190. Bril, R.J., Verhaegh, W.F.J., and Wust, C.C. (2006). A cognac-glass algorithm for conditionally guaranteed budgets. In IEEE Real-Time Systems Symposium. Davis, R.I. and Burns, A. (2005). Hierarchical fixed priority pre-emptive scheduling. In IEEE Real-Time Systems Symposium.
CESCIT 2015 June 22-24, 2015. Maribor, Slovenia
Guasque Ana et al. / IFAC-PapersOnLine 48-10 (2015) 264–269
Deng, Z. and Liu, J.W.S. (1997). Scheduling real-time applications in an open environment. In IEEE RealTime Systems Symposium. Easwaran, A., Lee, I., Shin, I., and Sokolsky, O. (2007). Compositional schedulability analysis of hierarchical real-time systems. In ISORC, 274–281. IMA-SP. Integrated Modular Avionics for Space (2011-13). IMA Development Process, Roles and Tools. IMA-SP D08-11. Kuo, T.W. and Li, C.H. (1998). A fixed priority driven open environment for real-time applications. In IEEE Real-Time Systems Symposium. Lipari, G. and Baruah, S. (2000). Efficient scheduling of real-time multi-task applications in dynamic systems. In IEEE Real-Time Tecnology and Applications Symposium. Lipari, G. and Bini, E. (2003). Resource partitioning among real-time applications. In Real-Time Systems, 2003. Proceedings. 15th Euromicro Conference on, 151– 158. doi:10.1109/EMRTS.2003.1212738. Lipari, G. and Bini, E. (2005). A methodology for designing hierarchical scheduling systems. Journal of Embedded Computing, 1(2), 257–269. Lorente, J. and Palencia, J. (2006). An edf hierarchical scheduling model for bandwidth servers. In Proceedings. 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Applications, 2006., 261–266. doi:10.1109/RTCSA.2006.13. Marimuthu, S. and Chakraborty, S. (2006). A framework for compositional and hierarchical real-time scheduling. In 12th IEEE Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 91 –96. doi:10.1109/RTCSA.2006.7. Ripoll, I., Crespo, A., and Mok, A. (1996). Improvement in feasibility testing for real-time tasks. Journal of RealTime Systems, 11, 19–40. Saewong, S., Rajkumar, R., and Lehoczky, J. (2002). Analysis of hierarchical fixed-priority scheduling. In Euromicro Conference on Real-Time Systems. Shin, I. and Lee, I. (2003). Periodic resource model for compositional real-time guarantees. In Real-Time Systems Symposium, 2003. RTSS 2003. 24th IEEE, 2– 13. doi:10.1109/REAL.2003.1253249. Windsor, J. and Hjortnaes, K. (2009). Time and space partitioning in spacecraft avionics. In IEEE Conference on Space Mission Challenges for Information Technology. Zhang, F. and Burns, A. (2007). Analysis of hierarchical edf pre-emptive scheduling. In 28th IEEE International Real-Time Systems Symposium, 2007. RTSS 2007., 423– 434. doi:10.1109/RTSS.2007.12.
269
269