Efficient Schedulability Test for Dynamic-Priority Scheduling of Mixed-Criticality Real-Time Systems
xxEfficient Schedulability Test for Dynamic-Priority Scheduling ofMixed-Criticality Real-Time Systems
Xiaozhe Gu , Nanyang Technological University
Arvind Easwaran , Nanyang Technological UniversitySystems in many safety-critical application domains are subject to certification requirements. In such asystem, there are typically different applications providing functionalities that have varying degrees of crit-icality. Consequently, the certification requirements for functionalities at these different criticality levelsare also varying, with very high levels of assurance required for a highly critical functionality, whereasrelatively low levels of assurance required for a less critical functionality. Considering the timing assur-ance given to various applications in the form of guaranteed budgets within deadlines, a theory of real-timescheduling for such multi-criticality systems has been under development in the recent past. In particular,an algorithm called Earliest Deadline First with Virtual Deadlines (EDF-VD) has shown a lot of promisefor systems with two criticality levels, especially in terms of practical performance demonstrated throughexperiment results. In this paper we design a new schedulability test for EDF-VD that extend these perfor-mance benefits to multi-criticality systems. We propose a new test based on demand bound functions andalso present a novel virtual deadline assignment strategy. Through extensive experiments we show that theproposed technique significantly outperforms existing strategies for a variety of generic real-time systems.Categories and Subject Descriptors: C.3 [
Special-purpose and application-based systems ]: Real-timeand embedded systems; D.4.1 [
Operating Systems ]: Process management-SchedulingGeneral Terms: Schedulability Analysis, Multi-Criticality System, Design of Real-Time Scheduler
1. INTRODUCTION
Real-time systems are defined as those systems in which the correctness of the systemdepends not only on the logical result of computation, but also on the time at whichthe results are produced [Stankovic et al. 1998]. For example a pacemaker is insertedin a person’s chest to provide electrical impulses at regular intervals to help the heartbeat. Here the pacemaker must provide service with certain timing constraints, andapplications with these kinds of timing constraints are considered real time.Timing constraints in real-time systems are often modeled as deadlines. If a schedu-lable activity (e.g., a piece of job) executes and completes before its assigned deadline,the deadline is met (and otherwise it is missed). This means, in order to meet thedeadline, the scheduler must have apriori knowledge on the amount of execution thatthe job would request. Further, to achieve high timing predictability in the presence ofvarious sources of variability, these systems must be built under pessimistic assump-tions to cope with worst case scenarios. That is, the scheduler typically assumes thatthe job would execute for a certain worst-case amount of time (denoted as WCET forWorst-Case Execution Time), which encompasses all the possible variations in execu-tion time. However determining an exact WCET for a job is very difficult [Puschnerand Burns 2000], and usually a conservative overestimation of the true WCET [Wil-helm et al. 2008] is used to analyze and schedule a real-time system.An increasing trend in embedded systems that multiple functionalities with differ-ent levels of “criticality” (or importance) are developed independently and integratedtogether on a common computing platform [Prisaznuk 1992]. This trend is evident inindustry-driven initiatives such as ARINC653 [ARI 2008], Integrated Modular Avion-ics (IMA) in avionics and AUTOSAR in automotive. An important notion behind thistrend is the safe isolation of separate functionalities of different criticality, primarily toachieve fault containment. For example in a modern car, devices and software are inte-grated into the entertainment system and often run on the same platform as the morecritical instrument panel information display subsystem. The challenge in such a sys-
ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. a r X i v : . [ c s . O S ] M a r :2 X. Gu et al. tem is managing the dramatically-different nature of resource requirements betweenthe less critical infotainment functions characterized by best-effort or soft real-timeneeds and the more critical display functions that require strong reliability.Here we define criticality as the level of assurance against severe failure needed fora system component. Typically, failure of high critical functionality would cause a moresevere consequence to the whole system than the failure of a low critical functional-ity. Thus high critical functions require higher assurance that their estimated WCETswill not be exceeded. As a result, their WCET estimates tend to involve very conser-vative assumptions about the system (cache flushing on preemption, over-provisioningfor potentially missed execution paths, etc.) that are very unlikely to occur in practice.Consequently, the system resources are in fact severely under-utilized in practice be-cause high critical functions would rarely execute as much as their WCET estimates.This raises the challenge of how to balance the conflicting requirements of isolationfor safety assurance and efficient resource sharing for economical benefits. The conceptof mixed-criticality (MC) appears to be important in meeting those two goals. In orderto close such a gap in resource utilization, Vestal [Vestal 2007] proposed the MC taskmodel that comprises of different WCET estimates. These estimates are determined atdifferent levels of confidence (“criticality”) based on the following principle. A reason-able low-confidence WCET estimate, even if it is based on measurements, may be suf-ficient for almost all possible execution scenarios in practice. As long as this estimateis not violated, both low critical tasks and high critical tasks are required to meet theirtiming constraints. In the highly unlikely event that this estimate is violated, as longas the scheduling mechanism can ensure deadline satisfaction for high critical appli-cations, the resulting system design may still be considered as safe. Considering suchMC real-time task systems with two criticality levels, several studies have proposedscheduling algorithms and corresponding schedulability tests in the past [Ekberg andYi 2012; Baruah et al. 2012a; Baruah et al. 2011b]. There have also been some recentstudies that extend some of these results to more than two criticality levels [Ekbergand Yi 2014; Fleming 2013; Baruah et al. 2015].In this paper we focus on the problem of EDF (earliest deadline first) schedulingof mixed-criticality systems on uniprocessors. In particular, we address the problemof scheduling multi-criticality real-time task systems (systems with more than twocriticality levels). Baruah and Vestal [Baruah and Vestal 2008] first considered MCscheduling with EDF. Later Park and Kim [Park and Kim 2011] proposed Critical-ity Based EDF that applies a combination of off- and on-line analyses to run highcritical jobs as late as possible, and low critical jobs in the generated slack. Baruahet al. proposed an algorithm called EDF-VD (EDF - with virtual deadlines) [Baruahet al. 2012a] for a dual-criticality system. High critical tasks have their deadlines re-duced by the same factor (if necessary) during low-criticality mode execution. Theydemonstrate both theoretically and via evaluations that this is an effective scheme.EDF-VD [Baruah et al. 2012a] is constrained to dual-criticality implicit deadline sys-tems, and was extended to multi-criticality systems in [Baruah et al. 2015]. AlthoughEDF-VD analyses the system across multiple criticality levels together, it is still verypessimistic even for two criticality levels because of the following factors: 1) The virtualdeadlines for all the high critical tasks are uniformly assigned based on a single com-mon factor, and 2) Using demand density to characterize the demand of a constrained-deadline task (task with a virtual deadline smaller than period) will always be pes-simistic.A more general demand bound function based analysis for EDF mixed-criticalityscheduling was proposed by Ekberg and Yi [Ekberg and Yi 2012]. They also introduceda heuristic virtual deadline tuning algorithm called GreedyTuning where deadlinescan be reduced by different factors. GreedyTuning can increase the chances that a task ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:3 system is schedulable by EDF. From extensive experiments, they show that Greedy-Tuning outperforms all existing works on MC scheduling for a variety of generic real-time systems. GreedyTuning was extended to multi-criticality systems in [Ekberg andYi 2014]. However it suffers from a drawback that its schedulability performance dropssignificantly as the number of criticality levels increases (see Figure 17 in [Ekberg andYi 2014]). In Figure 9 of this paper, we also show that it is not good at schedulingtask systems with a larger percentage of high critical tasks. The primary reason forthis drop in performance is that they analyze the system in each criticality mode fromthe time instant when the mode-switch happens, conservatively assuming maximumcarry-over interference when the system behavior switches from a lower criticalitylevel to the one being analyzed.The test proposed in [Easwaran 2013] addresses this problem by considering thesystem behavior from the start of a busy interval in a dbf-based analysis, but it isrestricted to dual-criticality systems. The first challenge in extending this initial resultto more than two criticality levels is that the task execution pattern that can result inworst-case demand and hence the dbf for dual-criticality system is no longer valid inmulti-criticality systems. Besides, if we consider the demand from the start of a busyinterval as [Easwaran 2013] does, there would be multiple mode-switches happeningat S , S , . . . , S m during the time interval. Then, we have to consider all possiblecombinations of these mode-switch instants, and as a result, the complexity of the testis exponential in the number of criticality levels. Also, given a set of these mode-switchinstants, the task execution pattern that will result in the worst-case demand dependson all the tasks in the system and their remaining execution time at each of thosemode-switches. It is therefore non-trivial to determine a worst-case pattern with lowpessimism, and there is no known technique for the same. Contribution:
In sum the contributions of this work can be summarized as follows.— In this paper, we overcome the challenges and extend the dual-criticality dbf-basedtest [Easwaran 2013] for multi-criticality systems that have the same time complex-ity as the dual-criticality ones.— To further improve the performance of the proposed design, we also develop a newvirtual deadline assignment strategy, extending the strategy proposed by [Ekbergand Yi 2014]. Finally, through experimental evaluation, we demonstrate that theproposed technique significantly outperforms the existing ones for generic real-timeMC task systems.
Other Related Work : Since Vestal [Vestal 2007] first proposed the MC task modeland an algorithm based on Audsley’s priority assignment strategy [Audsley 1991],there have been a series of publications on the scheduling of MC systems on uniproces-sors. A number of proposed studies are restricted to address the problem of schedulinga finite set of mixed-criticality jobs with criticality dependent execution times [Li andBaruah 2010; Baruah et al. 2010; Baruah et al. 2012b]. The model these studies useis a constrained one, because in many real-time systems each task is able to generatean infinite number of jobs. For example, the engine control unit in a car periodicallysenses and processes information to efficiently control the fuel injection and emissions.Hence, these studies are superseded by studies that are applicable to the more generalsporadic MC task model, which is also the focus of this paper. Vestal’s approach [Vestal2007] is the first work that uses Response-Time Analysis (RTA) to analyze the schedu-lability of generic MC task systems. This work was later improved by the Static MixedCriticality Scheme (SMC) [Baruah and Burns 2011]. Adaptive scheme (AMC) [Baruahet al. 2011b] goes further and it outperforms all the previous works on fixed priorityMC scheduling in terms of schedulability. Fleming and Burns [Fleming 2013] extendedAMC for task systems with an arbitrary number of criticality levels, focusing particu-
ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :4 X. Gu et al. larly on five levels as this is the maximum found in automotive and avionics standards.There are various works (e.g. [Su and Zhu 2013; Burns et al. 2015; Bate et al. 2015a])concerned about addressing other problems about MC scheduling, e.g., how to switchback to low critical mode or support low critical execution, but is not the focus of thiswork.The rest of the paper is organized as follows. In Section 2 we first introduce themixed-criticality task and scheduling model, and in Section 3 we give a brief intro-duction about GreedyTuning [Ekberg and Yi 2014], which is also the work we aim toimprove. We derive our new multi-mode demand bound function (dbf) in Section 4. InSection 5 we present a novel deadline tuning algorithm to improve the performanceof the proposed test. Finally in Section 6 we show that our proposed test dominatesGreedyTuning [Ekberg and Yi 2014] from experimentation.
2. TASK AND SCHEDULING MODEL2.1. MC Task Model
The sporadic task model [Mok 1983] is a generic model for capturing the real-timerequirements of many event-driven systems including those with MC such as avionicsand automotive. A sporadic task [Mok 1983] can be specified as τ i = ( T i , C i , D i ) , where T i denotes minimum separation between successive job releases, D i denotes its relativedeadline, and C i denotes its worst-case execution time (WCET). No job of τ i is expectedto execute for more time than its WCET, and otherwise the system is regarded asexhibiting erroneous behavior. Any job released by τ i is required to complete by itsdeadline, and deadline miss is regarded as system failure.The task model widely used in most previous studies on scheduling of MC systems(e.g., [Ekberg and Yi 2012; Baruah et al. 2011b; Vestal 2007; Easwaran 2013]) is astraightforward extension of the classic sporadic task model [Mok 1983] to a MC set-ting; the worst-case execution times of a single task can vary between criticality levels.However in most of these works, the task model is constrained to two levels, i.e, a taskcan either be a low critical task or a high critical task. Instead, we use a more gen-eral multi-criticality model in this paper. Formally, a task τ i in a MC sporadic task set τ = { τ , τ , . . . , τ k } can be represented as a tuple ( T i , C i , D i , L i ) , where:— T i ∈ Z + is the minimal time separation between the release of two successive jobs ,— L i ∈ Z + is the criticality level of τ i , and L i = 1 denotes the lowest criticality level,— D i ∈ Z + is the relative deadline,— C i = ( C i , C i , . . . , C L i i ) is a L i -tuple of estimated execution time budgets respectivelyfor each criticality level.Since the worst-case execution times for higher criticality levels are estimated moreconservatively, we make the standard assumption that ∀ τ i ∈ τ : C i ≤ C i . . . ≤ C L i i ≤ D i ≤ T i The system initially starts in L (short for level one) criticality mode (i.e., the lowestcriticality mode), each task τ i ∈ τ releases a potentially infinite sequence of jobs
The system stays in L criticality mode as long as all the jobs of every task τ i with L i ≥ do not execute beyond their L execution time estimate C i . Once a job executes for itsentire L execution time estimate C i without signaling that it has finished, the systemimmediately switches to L criticality mode. That is, in general as shown in Figure 1,when the first job J i such that L i ≥ m executes for more than its L m − execution timeestimate C m − i but does not signal that it has finished, the system switches to L m criticality mode. The mode switch time instant when the system switches from L m − to L m criticality mode is called criticality mode switch instant and is denoted as S m . time r ( J i ) r ( J i ) + D i C m − i C mi − C m − i Criticality mode switch instant S m J i executes beyond C m − i and the system switches to L m criticality mode Fig. 1: Criticality Mode Switch Instant S m After this mode switch at S m , jobs with criticality level L i < m , including those thatwere released before S m but did not complete until S m , are no longer required to meetdeadlines. For simplicity of analysis, these jobs are assumed to be dropped thereafter.However we must still meet all the deadlines for jobs with L i ≥ m , even if they requireup to C mi budgets. If the system is now in L m criticality mode, we assume it will switchback to L mode whenever the processor is idle.Note that the assumptions in the preceding paragraph on mode switch are con-sistent with the standard literature on MC scheduling (e.g., [Li and Baruah 2010;Baruah et al. 2011b; Vestal 2007; Easwaran 2013]). There are some studies that focuson dealing with those assumptions, such as reducing the penalty on low-critical tasks(e.g., [Huang et al. 2014; Huang et al. 2013; Gu et al. 2015]), and switching back toa lower criticality mode earlier than the processor idle time (e.g.,[Bate et al. 2015b]).These studies are orthogonal to the focus of this paper, which is to derive efficientschedulability tests for EDF-scheduled MC task systems. Definition ( MC-Schedulable ) . We define a MC task system to be MC-schedulable if ∀ m : 1 ≤ m ≤ M where M = max τ i ∈ τ { L i } , all jobs with criticality level L i ≥ m can receive a budget up to C mi and signal completion between their releasetime and deadline while the system stays in L m criticality mode. Demand bound function was first proposed to analyze the schedulability of non-MCreal-time workloads [Baruah et al. 1990]. The demand bound function captures themaximum execution demand a task can generate for a given time interval length.
Definition ( Demand bound function ) . A demand bound function dbf ( τ i , e ) givesan upper bound on the maximum possible execution demand of task τ i in any timeinterval of length e , where demand is calculated as the total amount of required exe-cution time of jobs with their whole scheduling windows within the time interval.For example a task τ i = ( T i = 5 , C i = 2 , D i = 3 , L i = 1) can generate as much as × C i = 2 × time units execution demand for a time interval length equal to .For non-MC constrained deadline task model, the demand bound function for a given ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :6 X. Gu et al. time interval length e can be computed in constant time [Baruah et al. 1990] using thefollowing equation. dbf ( τ i , e ) = (cid:18)(cid:22) e − D i T i (cid:23) + 1 (cid:19) × C i (1)As long as we can guarantee that the total execution demand of a task set τ is alwayssmaller than or equal to the time interval length e for all values of e , we can claim τ isschedulable by the EDF algorithm on a uniprocessor platform.T HEOREM ( [B ARUAH ET AL . 1990] ) . A non-mixed-criticality sporadic task set τ is successfully scheduled by the earliest deadline first (EDF) algorithm on a dedicatedunit speed uniprocessor platform if ∀ e ∈ { , , . . . , e max } : (cid:88) τ i ∈ τ dbf ( τ i , e ) ≤ e where e max is a pseudo-polynomial in the size of the input [Baruah et al. 1990] as longas the system utilization is bounded by some constant smaller than 1.
3. BACKGROUND: EXISTING DBF BASED TEST FOR MC TASK SYSTEMS
In this section, we first extend the idea of demand bound function to the mixed-criticality setting. Then we introduce the Single-Mode (SM) demand bound functionof mixed-criticality workloads derived in an existing work [Ekberg and Yi 2012].Test based on this SM dbf has been shown to dominate previous studies (e.g., EDF-VD [Baruah et al. 2012a] and AMC-max [Baruah et al. 2012b]) in terms of the abilityto schedule MC sporadic task systems.Let M = max τ i ∈ τ { L i } and dbf SM ( τ i , e , m ) where m ∈ { , , . . . , M } denote the SMdemand bound function of τ i for the time interval [ S m , S m + e ) , when the system is cur-rently in L m criticality mode and was in L m − criticality mode before that. As we canobserve, SM dbf test separately analyzes the system in each criticality mode becauseit only considers the demand during [ S m , S m + e ) but the system behavior before S m istotally ignored. Therefore, Theorem 2.3 can be extended in a straightforward way asfollows.T HEOREM ( P ROPOSITION
KBERG AND Y I ) . A MC task set τ isschedulable by EDF on a dedicated unit speed uniprocessor platform for all the crit-icality modes if the following conditions hold: ∀ m ∈ { , , . . . , M } : ∀ e ∈ { , , . . . , e max } : dbf SM ( τ, e , m ) ≤ e where dbf SM ( τ, e , m ) = (cid:80) L i ≥ m dbf SM ( τ i , e , m ) , and e max is a pseudo-polynomial in thesize of the input if the utilization of each criticality mode is bounded by some constantsmaller than 1. We define condition CN Sm as follows ∀ e ∈ { , , . . . , e max } : (cid:88) L i ≥ m dbf SM ( τ i , e , m ) ≤ e Condition CN Sm captures the schedulability of task set τ for L m criticality mode onthe assumption that τ is schedulable in L m (cid:48) ( m (cid:48) < m ) criticality modes. To compute dbf SM ( τ i , e , m ) we need to determine the maximum demand that τ i can generate inthe interval [ S m , S m + e ] . However, the demand of any task τ i in L m criticality modedepends on the release pattern in all the previous criticality modes. ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:7 In L criticality mode, each task τ i will behave like a normal non-mixed-criticalitytask, and all jobs are guaranteed to execute for at most C i time units. Therefore thedbf for non-mixed-criticality tasks can be directly applied to capture the demand of τ i in L criticality mode, i.e., dbf SM ( τ i , e ,
1) = (cid:18)(cid:22) e − D i T i (cid:23) + 1 (cid:19) × C i (2)If τ i has L i < m , then dbf SM ( τ i , e , m ) = 0 because tasks with L i < m will be discardedafter S m . On the other hand, if L i ≥ m , then we need to consider the job that is releasedbefore the mode switch instant S m but has its deadline after S m , because this job canaffect τ i ’s execution demand after S m . We call such jobs as carry-over jobs. Definition ( Carry-over job ) . A job J mi from a L i ≥ m criticality task that is ac-tive (released before S m and has deadline after S m ) at the time of the switch to L m criticality mode is called a carry-over job for L m criticality mode. While we can discard all the active jobs with L i ( L i < m ) , the remaining executiondemand of the carry-over jobs must be completed by their respective deadlines, andhence the demand of carry-over jobs must be accounted for in dbf SM ( τ i , e , m ) . Remaining Scheduling Window x Mode Switch at S m Deadline d ( J mi ) = r ( J mi ) + D i Job release r ( J mi ) Fig. 2: After a switch to higher criticality mode, the remainingexecution demand of a carry-over job must be finished in its re-maining scheduling window.At the time of the switch to L m criticality mode, a carry-over job J mi from task τ i has x ( x ≥ time units left until its deadline as shown in Figure 2. Since this jobwould have met its deadline in L m (cid:48) where ( m (cid:48) < m ) criticality mode if the mode-switch at S m had not happened, there can be at most x time units left to finish itsmaximum possible remaining execution demand C m − i . That is, the job must havealready executed at least max(0 , C m − i − x ) time units before the mode-switch at S m (otherwise deadline miss could happen in L m − criticality mode). After mode-switch S m , the carry-over job may now execute for up to C mi time units in total, and thereforethe total execution demand remaining for the carry-over job after the switch is at most C mi − max(0 , C m − i − x ) . Unfortunately if x → , condition CN Sm with ( m > cannotbe satisfied because as long as C mi − C m − i > , we can always find a small x so that dbf SM ( τ i , e → , m ) = C mi − C m − i > .The problem described above stems from the fact that EDF may execute a carry-over job quite late, and hence it can not finish its remaining execution demand afterthe mode-switch at S m . To solve this problem, virtual deadlines in different criticalitymodes have been introduced [Baruah et al. 2012a; Ekberg and Yi 2012; Easwaran2013]. When the system is in L m criticality mode, tasks τ i with L i ≥ m are scheduledby EDF scheduler according to virtual deadline D mi ( D mi ≤ D i ) . In L m criticality mode,any task τ i with L i ≥ m must finish its execution demand C mi by its virtual deadline ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :8 X. Gu et al. D mi . Since a job J i can now have multiple deadlines, we use d ( J i , m ) = r ( J i ) + D mi todenote its absolute virtual deadline for L m criticality mode.Virtual deadline enables the carry-over job to have extra slack time, D mi − D m − i ,to finish its additional demand C mi − C m − i at the cost of a higher load of executiondemand in lower criticality mode. However we should note that virtual deadlines arenot actual deadlines, and can be determined by deadline tuning algorithms [Ekbergand Yi 2012; Easwaran 2013] to improve EDF schedulability. The remaining executiondemand for a carry-over job can then be bounded with the following lemma.L EMMA ( D EMAND OF CARRY - OVER JOBS [E KBERG AND Y I ) . Assumethat EDF uses virtual relative deadline D mi in L m criticality mode for tasks with L i ≥ m , and that we can guarantee that the demand is met in all lower criticalitymodes (i.e., L m (cid:48) with ( m (cid:48) < m ) ) with respective virtual deadlines. If the carry-overjob of τ i has a remaining scheduling window of x time units until it deadline D mi , asillustrated in Figure 3, then the following hold: ( ) If x < D mi − D m − i , then the job must has already finished before S m . ( ) If x ≥ D mi − D m − i , then the job’s remaining execution demand after S m is boundedby C mi − max(0 , C m − i − x + D mi − D m − i ) . As we can observe, to maximize the total demand in L m criticality mode, SM dbf con-servatively assumes maximum possible carry-over demand C mi − max(0 , C m − i − x + D mi − D m − i ) from L m − criticality mode. xS m r ( J mi ) r ( J i ) + D mi time D mi − D m − i C m − i C mi − C m − i Fig. 3: A carry-over job of τ i has a remaining scheduling windowof length x after the switch to L m mode. Here the switch happensbefore r ( J mi ) + D m − i . The execution demand of τ i for time interval [ S m , S m + e ) is equal to sum of the un-finished execution demand of the carry-over job, and the demand of jobs released afterthe carry-over job in this interval.L EMMA ( M AXIMUM DEMAND PATTERN [E KBERG AND Y I ) . Task τ i with L i ≥ m can generate maximum execution demand in L m ( m > criticality mode for atime interval length e when the corresponding virtual deadline of some job r ( J i )+ D mi isat the end of this time interval e and all preceding jobs are released as late as possible,as shown in Figure 4. Therefore the demand bound function of τ i in L m ( m > criticality mode can besummarized as follows: dbf SM ( τ i , e , m ) = max(0 , (1 + (cid:98) e − ( D mi − D m − i ) T i (cid:99) ) × C mi ) − done m ( τ i , e ) (3) ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:9
Here done ( τ i , e ) captures the execution demand of the carry-over job that must finishbefore S m and is equal to: done m ( τ i , e ) = max(0 , C m − i − mod ( e , T i ) + D mi − D m − i ) , if D mi − D m − i ≤ mod ( e , T i ) and mod ( e , T i ) < D mi otherwise (4)where mod ( e , T i ) = e mod T i is equal to the length of the remaining scheduling windowof the carry-over job after S m . e S m T i e mod T i time D mi D m − i Fig. 4: Demand of τ i in L m ( m > Criticality Mode
4. MULTI-MODE DBF BASED TEST FOR MC TASK SYSTEMS
The SM demand bound function considers the behavior of each criticality mode sepa-rately. That is, it does not use the execution demand in the previous criticality mode(e.g, L m − ) to determine the remaining execution for carry-over jobs when mode switchhappens at S m . If the execution load of task set τ in L m − criticality mode is low, thencarry-over jobs of many tasks would finish well before their deadlines, and would notgenerate any carry-over demand. This property leads to some interesting results likethe fact that SM dbf based test cannot even schedule some task sets that are schedu-lable by reservation based approaches (i.e., all tasks are allocated C L i i execution bud-gets). Example . Suppose task set τ = { τ , τ } has two tasks, where τ and τ are givenin the following table. Obviously τ is schedulable by reservation based approaches be-cause the utilization C T + C T < . However according to GreedyTuning [Ekberg and Yi2014], τ is not schedulable because dbf SM ( τ, , ≤ ∧ dbf SM ( τ, , ≤ is not true forany possible combination of virtual deadlines. We have to set small virtual deadlines inorder to make dbf SM ( τ, , ≤ . However, by doing so, dbf SM ( τ, , would be greaterthan . Task T i C i D i L i τ { C = 3 , C = 7 }
15 2 τ { C = 1 , C = 1 } To address this drawback, in this section we propose a Multi-Mode (MM) demandbound function that collectively bounds the demand of τ in L m − and L m criticalitymodes. Suppose the time interval of interest is [ S m − , S m − + e ) where S m − ≤ S m ≤ S m − + e . For simplicity we assume S m − = 0 because what determines the total de-mand is the time interval length S m − S m − and e , i.e., the dbf is independent of the ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :10 X. Gu et al. exact value of S m − . As a result, the interval becomes [0 , e ) where ≤ S m ≤ e . Let dbf MM ( τ, S m , e , m ) denote the total execution demand of τ for the time interval [0 , e ) .The test proposed in [Easwaran 2013] considers the system behavior from the startof a busy interval in a dbf-based analysis, but is limited to a dual-criticality task sys-tem. In a dual-criticality task system, there is at most one mode-switch. However, in atask system with more than two criticality levels, we have to consider the demand fromjobs released before S m − but have deadline after S m − . As a result, the dbf analysisin [Easwaran 2013] is no longer valid in multi-criticality systems. In this section weextend the dbf analysis in [Easwaran 2013] to multi-criticality systems and present aMM dbf based test for multi-criticality systems.The following theorem is a straightforward extension of Theorem 3.1, and can beused to determine whether a task set τ is schedulable by EDF on a dedicated unitspeed uniprocessor platform.T HEOREM
A MC task set τ is schedulable by EDF on a dedicated unit speeduniprocessor platform for all the criticality modes if the following conditions hold: ∀ m ∈ { , , . . . , M } : ∀ e ∈ { , , . . . , e max } : ∀ S m ∈ { , , . . . , e } : dbf MM ( τ, S m , e , m ) ≤ e where e max is pseudo-polynomial in the size of the input [Gu et al. 2015] if the systemutilization of each criticality mode is bounded by some constant smaller than 1, and isalso derived in Appendix A.3. In the time interval of interest [ S m − = 0 , e ) , a job can experience at most two mode-switches at S m − = 0 and S m , respectively. We categorize such carry-over jobs into fourtypes: J Xi where X ∈ { A, B, C, D } , and use J X +1 i to denote the next job released after J Xi . The patterns of these jobs are shown in Figure 5. J Ai . L i = m − , r ( J Ai ) < S m − and r ( J A +1 i ) ≥ S m − . J Bi . L i = m − , r ( J Bi ) ≥ S m − , r ( J Bi ) ≤ S m and r ( J B +1 i ) > S m . J Ci . L i ≥ m , r ( J Ci ) < S m − and r ( J C +1 i ) ≥ S m − . J Di . L i ≥ m , r ( J Di ) ≥ S m − , r ( J Di ) ≤ S m and r ( J D +1 i ) > S m . S m − S m e J Ai if L i = m − J Ci if L i ≥ m J Bi if L i = m − J Di if L i ≥ m Fig. 5: Four types of jobs that experience mode switch.Let dbf MM ( J Xi , S m , e , m ) , where X ∈ { A, B, C, D } , to denote the demand of job J Xi during [0 , e ) . Given the value of r ( J Xi ) , we can simply calculate its demand. Thus thedetailed equations of dbf MM ( J Xi , S m , e , m ) will be presented in Appendix A.1 becauseit is very intuitive. dbf MM ( τ i , S m , e , m ) ) In the time interval [ S m − = 0 , e ) , tasks with L i = m − could execute during [0 , S m ) ,but would be dropped after S m . Tasks with L i ≥ m could execute during the whole ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:11 time interval [0 , e ) . For L criticality mode (the initial mode), dbf MM ( τ i , S , e , can beobtained from demand bound function for non-mixed sporadic tasks (see Equation 2). L i = m − . The maximum demand generated by task τ i with L i = m − during the interval [0 , S m ) is equal to the sum of demand of all jobs releasedduring [0 , S m ) and the execution demand of J Ai during [0 , S m ) .Let DEM i ( r A ) denote the demand that τ i generates during [0 , S m ) when r ( J Ai ) = r A and all jobs are released as soon as possible with period T i . Given r ( J Ai ) there will beat most n m − = (cid:98) ( S m − ( r ( J Ai ) + T i )) /T i (cid:99) jobs released during [0 , S m ) . Here n m − denotethe number of jobs released between J Ai and J Bi . When r ( J Ai ) + T i > S m , i.e., J Ai isthe only job from τ i that generates demand during [0 , e ) , and in this case DEM i ( r A ) isequal to dbf MM ( J Ai , S m , e , m ) . Then we have DEM i ( r A ) = (cid:26) dbf MM ( J Ai , S m , e , m ) if r ( J Ai ) + T i > S m dbf MM ( J Ai , S m , e , m )+ n m − C m − i + dbf MM ( J Bi , S m , e , m ) otherwise(5)If all tasks have integer release times, we can simply get dbf MM ( τ i , S m , e , m ) = max r A ∈{ , − , − ,..., − T i } { DEM i ( r A ) } For more generic cases, the lemma defines the release pattern when τ i ( L i = m − generates maximum demand during [0 , S m ) . S m e r ( J Ai ) r ( J Bi ) d ( J Bi , m −
1) time C m − i (a) r ( J Ai ) = − D m − i + C m − i S m e r ( J Ai ) r ( J Bi ) d ( J Bi , m −
1) = e time mod ( e − D m − i , T i ) (b) r ( J Ai ) = mod ( e − D m − i , T i ) − T i Fig. 6: Job release pattern for tasks with L i = m − L EMMA
Task τ i with L i = m − generates maximum demand during [0 , S m ) if r ( J Ai ) = − D m − i + C m − i or r ( J Ai ) = mod ( e − D m − i , T i ) − T i (i.e., deadline d ( J Ai , m −
1) = e ∨ d ( J Bi , m −
1) = e ), and all the jobs are released as soon as possible with period T i .These two pattens are shown in Figure 6(a) and Figure 6(b), respectively. P ROOF . The proof for Lemma 4.3 can be found in Appendix A.2 .
ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :12 X. Gu et al.
Thus using Lemma 4.3, we define dbf MM ( τ i , S m , e , m ) for task τ i with L i = m − asfollows. dbf MM ( τ i , S m , e , m ) = max (cid:8) DEM i (cid:0) − D m − i + C m − i (cid:1) , DEM i (cid:0) mod ( e − D m − i , T i ) − T i (cid:1)(cid:9) (6) L i ≥ m . The demand generated by task τ i with L i ≥ m during theinterval [0 , e ) is equal to the sum of demand of all jobs released during [ S m − = 0 , e ) and the demand of J Ci as shown in Figure 7.Let DEM i ( r C ) denote the demand that τ i generates during [0 , S m ) when r ( J Ci ) = r C and all jobs are released as soon as possible with period T i . Let n m − denote the num-ber of jobs released during [ S m − , r ( J Di )) and n m denote the number of jobs releasedafter S m with deadline D mi before e . Given the value of r ( J Ci ) , n m − = (cid:98) ( S m − r ( J Ci ) − T i ) /T i (cid:99) . The first job released after J Di , J D +1 i , is released at r ( J Ci ) + ( n m − + 2) × T i , andhence n m = (cid:98) ( e − r ( J D +1 i ) − D mi ) /T i (cid:99) + 1 . Note that if n m − < , i.e., S m < r ( J Ci ) + T i ,it implies there does not exist J Di . Therefore we have DEM i ( r C ) = dbf MM ( J Ci , S m , e , m ) + n m − C m − i + dbf MM ( J Di , S m , e , m ) + n m C mi if S m ≥ r ( J Ci ) + T i dbf MM ( J Ci , S m , e , m ) + n m C mi if S m < r ( J Ci ) + T i (7)If all tasks have integer release times, we can simply get e r ( J Ci ) r ( J Di ) S m d ( J Li , m ) S m − n m − × C m − i n m × C mi Fig. 7: Job release pattern for tasks with L i ≥ mdbf MM ( τ i , S m , e , m ) = max r C ∈{ , − , − ,..., − T i } { DEM i ( r C ) } For more generic cases, the lemma defines the release pattern so that τ i with L i ≥ m generates maximum demand during [0 , e ) .L EMMA
Task τ i with L i ≥ m generates maximum demand during [0 , e ) if r ( J Ci ) = mod ( e − D mi , T i )) − T i (i.e, the last job released before e has d ( J Li , m ) = e )or r ( J Ci ) = mod ( e − D m − i , T i ) − T i (i.e., d ( J Li , m −
1) = e ) or r ( J Ci ) = − D m − i + C m − i and all the jobs are released as soon as possible with period T i . P ROOF . The proof for Lemma 4.4 can be found in Appendix A.2.Using Lemma 4.3, we define the dbf MM ( τ i , S m , e , m ) for task τ i with L i ≥ m as fol-lows. dbf MM ( τ i , S m , e , m ) =max (cid:8) DEM i ( mod ( e − D mi , T i ) − T i )) , DEM i ( − D m − i + C m − i ) , DEM i ( mod ( e − D m − i , T i ) − T i )) (cid:9) (8) ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:13 τ ( dbf MM ( τ, S m , e , m ) ) Now we have presented the MM dbf for each task. We can simply add up the demandof all tasks in the system to get the dbf for the task set τ . dbf MM ( τ, S m , e , m ) = (cid:88) L i ≥ m − dbf MM ( τ i , S m , e , m ) (9)Discussion: The MM dbf derived in this section cannot be directly applied to a moregeneralized MC model [Ekberg and Yi 2014] where each task has different periods indifferent criticality modes. The main challenge in this extension is that we need tofigure out the execution pattern (i.e., the release time of J Ai and J Ci ) that can resultin worst-case demand in the more generalized model. Of course, we can still computethe demand for all possible release patterns and choose the maximum one, but it canbe very computational expensive. For space reason, we would leave this as our futurework.
5. VIRTUAL DEADLINE ASSIGNMENT
From the previous sections we know that virtual deadline for each criticality modeplays a key role in shaping the demand of carry-over jobs. The choice of virtual deadlinefor each task therefore has a significant impact on the performance of the proposedschedulability test. We can decrease τ i ’s demand in L m ( m > criticality mode at thecost of increasing the demand in previous modes. By choosing suitable values for D m − i for each τ i , we can increase the chances that τ is schedulable in L m criticality mode.The process of finding suitable values for the virtual deadlines is very challenging,because it is infeasible to try all possible combinations of D mi for all the tasks in dif-ferent criticality modes. In this section, we propose a heuristic virtual deadline tuningalgorithm which has pseudo-polynomial time complexity as long as the system utiliza-tion of each criticality mode is bounded by some constant smaller than 1.In Section 3 and Section 4 we introuce the existing single-mode dbf-based schedula-bility test and our proposed multi-mode dbf-based test, respectively. A MC task system τ is schedulable in L m mode assuming no deadline miss happens in previous criticalitymodes if one of the following two condition holds.(1) CN Sm : ∀ e ∈ { , , . . . , e max } : dbf SM ( τ, e , m ) ≤ e (Theorem 3.1) .(2) CN Mm : ∀ e ∈ { , , . . . , e max } : ∀ S m ∈ { , , . . . , e } : dbf MM ( τ, S m , e , m ) ≤ e (Theo-rem 4.2).Though the complexity of both of the above conditions is pseudo-polynomial, there isa quadratic increase in complexity to check condition CN Mm . For a certain e max , whilethe SM dbf test [Ekberg and Yi 2014] need to calculate the demand for e max times, theMM dbf test need to calculate the demand for e max × e max times. Therefore, as shown inline 18-27 in Algorithm 1, we use the condition CN Mm as a complement, i.e., only whencondition CN Sm fails at a certain e , we will check whether condition CN Mm is satisfiedfor that time interval length. Thus, once we find an e f such that dbf SM ( τ, e f , m ) > e f ,we use the Multi-Mode demand bound function to check whether the following holds. ∀ e ∈ { e f , e f + 1 , . . . , e max } : dbf MM ( τ, S m = e − e f , e , m ) ≤ e If the above inequalities hold, then it means no deadline miss happens e f time unitsafter S m . Otherwise a candidate task will be chosen and its virtual deadline D m − i isreduced by .In Algorithm TuneMode(m), if both CN Mm and CN Sm fail at a certain e , then a can-didate task is chosen and its virtual deadline D m − i is reduced by one unit. By doing ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :14 X. Gu et al. this, we can reduce the demand of these tasks in L m criticality mode. It does thiswithout considering the schedulability in L m − criticality mode itself, hoping that τ in L m − criticality mode can later be made schedulable by decreasing deadlines for L m − criticality mode, i.e., D m − i . Once D m − i decreases to C m − i , τ i is eliminated from thecandidate sets Ψ m , and then we need to find another candidate task. We repeat theabove steps until TuneMode(m) returns true or the candidate task set Ψ m becomesempty.An exceptional scenario is that: if we decrease D i to reduce the demand in L crit-icality mode, τ may become unschedulable in L criticality mode. However there doesnot exist D i , and hence we cannot tune D i to reduce the demand in L criticalitymode. Therefore in this case, TuneMode(m) will undo the changes to deadlines thatwould make τ unschedulable in L criticality mode. Here undo the changes to dead-lines means D i = D i + 1 , and then the candidate task τ i is removed from Ψ m .Algorithm 2 (TuneSystem( τ )) applies Algorithm 1 (TuneMode(m)) on all the critical-ity modes starting from L M criticality mode and proceeding in a reverse order, untilit has successfully tuned the deadlines in all the criticality modes or failed to do soin some criticality mode. Therefore, the complexity of Algorithm 2 (TuneSystem( τ ))increases linearly as the number of levels increases because the complexity of Algo-rithm 1 (TuneMode(m)) is independent of the value of m .Finally, to select a candidate task for deadline tuning in each iteration,TuneMode(m) uses Algorithm 3 (find candidate m( Ψ , e )). Note that, GreedyTun-ing [Ekberg and Yi 2012] uses a very simple metric to choose a candidate task, i.e., τ i with the maximum ∆ i = dbf SM ( τ i , e , m ) − dbf SM ( τ i , e − , m ) is always chosen as a candidate task. Here ∆ i denote the demand change of τ i usingSingle-Mode dbf if D m − i ← D m − i − .However, there are many other parameters which are also important in choosing agood candidate task. Therefore, in Algorithm 3, we extend this metric to additionallyconsider other factors in candidate selection such as the impact of change in virtualdeadline on the schedulability for previous mode ( L m − ). In Section 6, we show thatthe new metric for choosing a candidate task outperforms the one in [Ekberg and Yi2014].To maximize schedulability in L m mode by reducing the demand of a candidate task,a task with larger ∆ i is preferable. Meanwhile when a candidate task τ i ’s virtual dead-line D m − i decreases by one, the impact on the demand of L m − mode is different.Suppose task set τ has task τ and τ where T = D = D = 10000 and τ has T = D = D = 2 . Also, suppose L mode of τ is currently not schedulable but can be tunedto become schedulable if either D or D decreases by one. The impact of D ← D − or D ← D − is different, i.e., ∆ D D = 0 . and ∆ D D = 0 . . If D ← D − , the systemdemand of L mode stays the same for any time interval length e ( < . As a result,the L mode is easier to be schedulable if D decreases to compared to the caseif D decreases to . From the above discussion, we know a task with larger ∆ i and D m − i is more likely to become a better candidate task. Therefore, among all possiblecandidate tasks in Ψ m , we use ∆ i × D m − i as the main metric to choose a candidatetask.Until now, we did not consider case when all tasks have ∆ i = 0 ⇒ ∆ i × D m − i =0 . This means that, there does not exist a candidate task so that the total demandwould decrease if D m − i ← D m − i − . As shown in Figure 4, if ∆ i = 0 , it must bethat len i = mod ( e , T i ) − ( D mi − D m − i ) − C m − i > . The demand of τ i would start to ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:15
ALGORITHM 1:
TuneMode(m) Ψ m ← { τ i | L i ≥ m } ; changed ← False ; while changed = True do changed ← False ; for e ∈ { , , . . . , e max } do if m = 2 and dbf ISM ( τ, e , > e then if changed = True then D i ← D i + 1 ; Ψ m .remove( τ i ); changed ← True ; break; end else return False end end if dbf SM ( τ, e , m ) > e then CN Mm ← True ; for e ∈ { e , e + 1 , . . . , e max } do if dbf MM ( τ, S m = e − e , e ) > e then CN Mm ← False ; break; end end if CN Mm = True then continue; end if Ψ m = ∅ then return False end τ i ← find candidate m( Ψ m , e ) (Algorithm 3); D m − i ← D m − i − ; if D m − i < C m − i then D m − i ← D m − i + 1 ; Ψ m .remove( τ i ); end else changed ← True ; break; end end end end return True decrease if D m − i ← D m − i − len i − . Therefore, we also choose those tasks with the min { max { , len i }} among those candidate tasks. Hence in Algorithm 3, we sort tasks in Ψ m with first key ∆ i × D m − i in ascending order and then with second key max { , len i } in descending order. ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :16 X. Gu et al.
ALGORITHM 2:
TuneSystem( τ ) M ← max τ i ∈ τ { L i } ; for m ∈ { M to } do if T uneMode ( m ) = False then return False end end return True
ALGORITHM 3: find candidate m( Ψ , e ) Q ← empty queue; for τ i ∈ Ψ do Q.insert (∆ i × D m − i , max { , len i } , τ i ) ; end Q.sort ( ascending , descending ) ; // sort tasks in Ψ with first key ∆ i × D m − i in ascending orderand then with second key max { , len i } in descending order τ i ← Q. pop(); // return the corresponding task return τ i
6. EVALUATION
In this section we evaluate the ability of the proposed virtual deadline assignmentstrategy and the MM dbf based test (i.e, Algorithm 2) to schedule MC task systems.We use acceptance ratios, i.e., the fraction of schedulable task sets, as the metric toevaluate our proposed approach.We aim to compare with the existing work named GreedyTuning [Ekberg and Yi2014] based on SM dbf. From extensive experiments, it has already been shown in[Ekberg and Yi 2014] that this work outperforms existing studies (e.g., [Baruah et al.2012a; Baruah et al. 2011a; Vestal 2007]) for a variety of generic real-time systems.Therefore, through comparison with this SM dbf work, we aim to show in this sectionthat the techniques proposed in this paper also outperform those studies, including theone based on SM dbf test.We consider MC sporadic tasks scheduled on a dedicated unit speed uniprocessorplatform. We will study the impact of varying parameters of tasks on the acceptanceratios of these approaches: 1): GreedyTuning (GT) [Ekberg and Yi 2014], 2): SM dbf testfrom [Ekberg and Yi 2014] with the improved deadline assignment strategy (i.e, Algo-rithm 3) (GTI), 3): our improved dbf-based test (IMPT, i.e., Algorithm 2).
Suppose task set τ is a empty task set ( τ = ∅ ) initially. Randomly generated tasks areadded to the task set τ repeatedly until certain requirements are met. The parametersof each task is controlled by the following parameters.— P ( m ) denotes the probability that τ i has L i = m .— C i is drawn using an uniform distribution over [1 , .— RC m denotes the maximum ratio of C mi /C m − i .— C mi is drawn using an uniform distribution over [ C m − i , RC m × C m − i ] .— T i is drawn using an uniform distribution over [ C Lii , .— D i is drawn using an uniform distribution over [ D MINi , T i ] where D MINi = (cid:98) C Lii + RD × ( T i − C L i i ) (cid:99) , and RD ∈ [0 , ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:17
Let U τ = max m ∈{ , ,...,M } { (cid:80) L i ≥ m C mi T i } denote the utilization bound of a task set τ . For agiven utilization bound, our generation procedure requires U τ to fall within the smallinterval between [ U bound − (cid:15), U bound ] ( (cid:15) = 0 . ). As long as U τ < U bound − (cid:15) , a newtask will be randomly generated and added to τ . Once U τ of τ falls within the range [ U bound − (cid:15), U bound ] , the generation procedure for τ is considered complete. Howeverif U τ becomes greater than U bound after a new task τ i is added to τ , we discard thewhole task set and start with a new empty task set.Fig. 8: Dual-Criticality Task Systems with RD ∈ { . , } and P (2) = 0 . Fig. 9: Dual-Criticality Task Systems with RD = 0 . and P (2) ∈{ . , . } ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :18 X. Gu et al.
Figure 8 shows the acceptance ratio as a function of utilization (
U bound ) of task setsgenerated with RC = 3 , P (1) = P (2) = 0 . and RD ∈ { . , } . Each data is basedon 1000 randomly generated task sets. As shown in Figure 8, our improved dbf-basedschedulability test (IMPT) strictly outperforms GreedyTuning (GT). However the per-formance gap between GT and IMPT is very small when RD = 1 , which implies GTalready does quite well in scheduling dual-criticality implicit deadline task systems.Figure 9 shows the acceptance ratios of task sets generated with RD = 0 . , RC = 3 and P (2) ∈ { . , . } . The acceptance ratios of task sets with RD = 0 . , RC = 3 and P (2) = 0 . can be found in Figure 8. We can observe that as P (2) increases from . to . , the acceptance ratio of GT drops quickly. Even though the SM dbf testwith the improved deadline assignment strategy (GTI) always has a higher acceptanceratio than GT, its acceptance ratio is much lower than IMPT when P (2) = 0 . . Oneinterpretation for this trend is that SM dbf test is not good at scheduling systems witha larger percentage of high critical tasks. On the other hand, the acceptance ratio ofIMPT drops much slower, and its acceptance ratio becomes almost two times as muchas GT when P (2) = 0 . and U bound = 0 . . In fact, the acceptance ratio of IMPT when P (2) = 0 . is closer to its acceptance ratio when P (2) = 0 . . In this section we compare the acceptance ratios of different tests for multi-criticalitytask systems. Figure 10 shows the acceptance ratios of three level systems with P (1) = P (2) = P (3) = 1 / , RC = RC = 2 and RD ∈ { . , } . As we can observe,the performance of all the three approaches drops, but IMPT very well outperformsGT even for small utilization bounds.Fig. 10: Three Level Task SystemsTo study how the acceptance ratio changes as the number of criticality levels in-creases, we here present the weighted acceptance ratios of different approaches foreach criticality level. Suppose A ( U ) is the acceptance ratio of a certain approach forutilization U ∈ [0 . , . , . , . . . , . , then the weighted acceptance ratio is defined ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:19 as (cid:80) U ∈{ . , . , . ,..., . } A ( U ) × U (cid:80) U ∈{ . , . , . ,..., . } U . (a) Weighted Acceptance Ratio RD = 1 (b) Weighted Acceptance Ratio RD = 0 . Fig. 11: Weighted Acceptance RatioAs we can observe, the gap in weighted acceptance ratio between GT and IMPT is infact quite small when the criticality level is equal to . However, this gap become muchlarger when the criticality level becomes greater than . The acceptance ratio of IMPTalso becomes lower (especially for the case when RD = 0 . ) as the number of criticalitylevel increases. One interpretation for this trend may be that, there is not enough spaceto tune the virtual deadlines since we need to set multiple virtual deadlines for eachtask. However, note that, it does not mean that the proposed approach IMPT has verypoor performance, and can schedule only a small portion of generated task sets. Sincethere is no known exact feasibility test for MC task systems, we are unable to eliminateall the infeasible from our experiments. Nevertheless, we can still conclude that theproposed approach in this paper outperforms GT for a variety of generic systems.
7. CONCLUSIONS
We first introduced the existing single-mode demand bound functions [Ekberg and Yi2014], which characterize the demand of mixed-criticality sporadic tasks. They use apessimistic upper bound to characterize demand of carry-over jobs by assuming thatthe previous criticality mode is schedulable. As a result, the single-mode dbfs overestimate the demand of carry-over jobs. Due to the drawback of the single-mode dbfbased test, it has a severe problem that its performance decreases significantly as thenumber of criticality levels increases.To avoid the problem of single-mode dbf based schedulability test, we propose multi-mode dbfs which consider the execution demand in the previous criticality mode todetermine the remaining execution for carry-over jobs. The proposed multi-mode dbfbased test can avoid the problem of the single-mode dbf at the cost of a quadraticincrease in the complexity. In practice it could be computationally expensive if we usethe multi-mode dbf based test directly. Therefore we propose a novel heuristic deadlinetuning algorithm which uses the multi-mode dbf as a complement to reduce the off-linecomputation time. Finally we show that our proposed approach outperforms single-mode dbf based schedulability test [Ekberg and Yi 2014] from experimentation.
ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :20 X. Gu et al.
Often, EDF is quoted as being too unpredictable in case of overloads since it is prac-tically impossible to predict which jobs will suffer the extra delays. This is not thecase for mixed-criticality systems, because more important (or critical) tasks will beprioritized in an overload situation.Though we use the multi-mode dbfs as a complement to reduce off-line computationtime, it still takes a lot of time compared to single-mode dbf based test. As future workwe plan to find a strategy to reduce the computation time of our proposed approach.One limitation of the multi-mode dbf is that it is limited to constrained deadline MCsystems. Even though it seems to be straightforward to extend it to arbitrary deadline,it can become very pessimistic because there would exist more than one carry-over job.Therefore in the future we also plan to address this problem and extend the multi-mode dbf to arbitrary deadline mixed-criticality systems.
A. APPENDIXA.1. Demand bound function for carry-over jobs
In Section 4 we have derived the MM dbf for individual tasks as well as for the entiretask system. These functions use the dbf for the carry-over jobs at mode switches S m − and S m (i.e., jobs J Ai , J Bi , J Ci and J Di defined in Section 4). For simplicity we assume S m − = 0 because the dbf for carry-over jobs is independent of S m − . In this section,we derive an bound of the demand of these jobs. In order to present the dbf, we willmake use of the following conditions on the virtual deadlines of these jobs in variousmodes. Condition (1). d ( J Xi , m −
2) = r ( J Xi ) + D m − i < S m − . Condition (2). d ( J Xi , m −
1) = r ( J Xi ) + D m − i < S m . Condition (3). d ( J Xi , m ) = r ( J Xi ) + D mi ≤ e . Condition (4). d ( J Xi , m −
1) = r ( J Xi ) + D m − i ≤ e . S m − S m e d ( J Ai , m − r ( J Ai ) d ( J Ai , m − C m − i C m − i time Fig. 12: J Ai : ¬ (1) ∧ ¬ (4) J Ai would either only experience mode-switch at S m − or mode-switches at S m and S m − . If J Ai has its virtual deadline d ( J Ai , m − < S m − (i.e., condition (1)), thenit must already finish before S m − . On the other hand if ¬ (1) : d ( J Ai , m − ≥ S m − and (4) : d ( J Ai , m − ≤ e , the execution demand of J Ai is bounded by min { d ( J Ai , m − − S m − , C m − i } + C m − i − C m − i . The demand of J Ai after S m − isalso bounded by S m because J Ai would not execute after S m . An extreme case is when ¬ (4) : r ( J Ai ) + D m − i > e as shown in Figure 12, and in this case J Ai generates 0 de-mand after S m − because its deadline is out of the time interval of interest. Hence wegeneralize dbf MM ( J Ai , S m , e , m ) as follows. dbf MM ( J Ai , S m , e , m ) = (cid:40) min (cid:8) min (cid:8) r ( J Ai ) + D m − i , C m − i (cid:9) + C m − i − C m − i , S m (cid:9) If ¬ (1) ∧ (4)0 Otherwise (10)
ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:21 J Bi is similar to J Ai except that we can ignore condition (1) because it can never betrue. To maximize J Bi ’s demand, we assume it executes continuously from r ( J Bi ) . Againif its deadline d ( J Bi , m − > e , it would generate 0 demand. Hence, we have dbf MM ( J Bi , S m , e , m ) = (cid:26) min (cid:8) C m − i , S m − r ( J Bi ) (cid:9) If (4)0 Otherwise (11)Similar to J Ai , if (1) : d ( J Ci , m − < S m − = 0 ∨ ¬ (4) : d ( J Ci , m − > e , J Ci generates 0 demand during [0 , e ) . If ¬ (1) ∧ (2) , J Ci would already finish by S m , andhence would generate demand equal to C m − i − C m − i +min { d ( J Ci , m − − S m − , C m − i } .If ¬ (1) ∧ ¬ (2) ∧ (3) , J Ci would generate C mi − C m − i + min { d ( J Ci , m − − S m − , C m − i } demand as shown in Figure 13. If ¬ (1) ∧¬ (2) ∧¬ (3) ∧ (4) , J Ci would not generate demandafter S m because its deadline d ( J Ci , m ) is out of the interval of interest. In this case itsdemand is bounded by S m . Hence, we have S m e d ( J Ci , m − r ( J Ci ) d ( J Ci , m ) C m − i C m − i − C m − i time d ( J Ci , m − C mi − C m − i S m − = 0 Fig. 13: J Ci : ¬ (1) ∧ ¬ (2) ∧ (3) dbf MM ( J Ci , S m , e , m ) = If (1) ∨ ¬ (4) C m − i − C m − i + min (cid:8) d ( J Ci , m − , C m − i (cid:9) If ¬ (1) ∧ (2) C mi − C m − i + min (cid:8) d ( J Ci , m − , C m − i (cid:9) If ¬ (1) ∧ ¬ (2) ∧ (3)min (cid:8) S m , C m − i − C m − i + min (cid:8) d ( J Ci , m − , C m − i (cid:9)(cid:9) If ¬ (1) ∧ ¬ (2) ∧¬ (3) ∧ (4) (12) J Di behaves similar to J Ci except we can ignore condition (1) because it can never betrue. Hence, we have dbf MM ( J Di , S m , e , m ) = If ¬ (4) C m − i If (2) C mi If ¬ (2) ∧ (3)min { C m − i , S m − r ( J Di ) } If ¬ (2) ∧ ¬ (3) ∧ (4) (13) A.2. Proofs æ P
ROOF FOR L EMMA (C1): If e ≤ D m − i , obviously the demand of τ i maximizeswhen r ( J Ai ) = mod ( e − D m − i , T i ) − T i , i.e., d ( J Ai , m −
1) = e as shown in Figure 14. (C2): If ( S m ≤ C m − i ∧ e > D m − i ) , we can find the demand of τ i maximizes when r ( J Ai ) = − D m − i + C m − i , which is is bounded by S m as shown in Figure 15. Now we ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :22 X. Gu et al. S m − S m e d ( J Ai , m − r ( J Ai ) d ( J Ai , m − C m − i C m − i time Fig. 14: Case when e ≤ D m − i S m − S m e d ( J Ai , m − r ( J Ai ) d ( J Ai , m − C m − i C m − i time Fig. 15: Case when ( S m ≤ C m − i ∧ e > D m − i ) can exclude the above two cases, and we only need to consider the case when e >D m − i ∧ S m > C m − i . (C3): If r ( J Bi ) + D m − i ≤ e when r ( J Ai ) = − D m − i + C m − i as shown in Figure 16. As S m − S m e d ( J Ai , m − r ( J Ai ) C m − i C m − i time r ( J Bi ) d ( J Bi , m − C m − i Fig. 16: Case C3we shift the release pattern left, i.e., r ( J Ai ) = − D m − i + C m − i + x | x < , the demandchange of J Ai , ∆ ( x ) , is of the following form. ∆ ( x ) = (cid:26) x If x ∈ [ − C m − i , − C m − i If x ∈ [ − C m − i + D m − i − T i , − C m − i ) Meanwhile the demand of J Bi will at most increase linearly, and hence the total de-mand of τ i will stay the same or decrease as we shift the pattern left. As we shift therelease pattern right, the demand of τ i will only decrease or stay the same. Thereforein this case the demand of τ i maximizes when r ( J Ai ) = − D m − i + C m − i . (C4): If r ( J Bi ) + D m − i > e when r ( J Ai ) = − D m − i + C m − i as shown in Figure 17.As we shift the release pattern right, then obviously the demand of τ i would staythe same or decrease. On the other hand as we shift the release pattern left, i.e., r ( J Ai ) = − D m − i + C m − i + x | x < , demand of J Bi will first increase from to y = dbf MM ( J Bi , S m , e , m ) | r ( J Bi ) + D m − i = e (assuming at this time x = x ), and then in-creases linearly to C m − i . When x > x , the demand of J Ai will decrease but the demandof other jobs (including J Bi ) stay the same. When x = x , the change demand of J Ai isequal to − C m − i if x < − C m − i , or x if x ≥ − C m − i . If x < − C m − i and y + x ≥ ,then the demand of τ i maximized at this time ( r ( J Ai ) = mod ( e − D m − i , T i ) − T i ) because ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:23 S m − S m e d ( J Ai , m − r ( J Ai ) C m − i C m − i time r ( J Bi ) d ( J Bi , m − C m − i | x | Fig. 17: Case C4as we further shift the pattern left, the the demand of τ i would only decrease or staythe same. Otherwise if y + x < , then total demand of τ i maximizes demand when r ( J Ai ) = − D m − i + C m − i because as we further shift the pattern left, the total demandwould only stay the same or decrease.In sum the demand of τ i | L i = m − during [0 , e ) is maximized if r ( J Ai ) = − D m − i + C m − i or r ( J Ai ) = mod ( e − D m − i , T i ) − T i .P ROOF FOR L EMMA (C1): If e − S m > D mi , the demand of τ i | L i ≥ m during [0 , e ) is maximized when r ( J Ci ) = mod ( e − D mi , T i )) − T i (the last job released before e , J Li , has d ( J Li , m ) = e ) as shown in Figure 18. This is because as we shift the release e r ( J Ci ) r ( J Di ) S m d ( J Li , m ) S m − Fig. 18: Case when e − S m > D mi pattern right, the demand of J Li would decrease from C mi to while the increase indemand of other jobs including J Ci and J Di is bounded by C mi . On the other hand as weshift the release pattern left, the total demand of all jobs would decrease or stay thesame. (C2): If e − S m < D mi − D m − i , no job of τ i could execute more than C m − i (no job willexecute after S m ). Thus τ i behaves as a task with L i = m − , and from Lemma 4.3 weknow the demand of τ i is maximized when r ( J Ci ) ∈ {− D m − i + C m − i , mod ( e − D m − i , T i ) − T i } . (C3): If D mi − D m − i ≤ e − S m ≤ D mi , at most one job (either J Ci or J Di ) could gen-erate execution demand as much as C mi as shown in Figure 19. Thus suppose initially e r ( J Ci ) r ( J Di ) S m S m − d ( J Di , m − d ( J Ci , m − d ( J Di , m ) d ( J Ci , m − Fig. 19: Case when D mi − D m − i ≤ e − S m ≤ D mi r ( J Ci ) = mod ( e − D mi , T i )) − T i , i.e., the scenario of Figure 19. If we shift the release ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. :24 X. Gu et al. pattern left, the demand of τ i would only decrease or stay the same. On the other handas we shift the release pattern right, no job would execute after S m , and hence τ i be-haves as a task with L i = m − . Therefore from Lemma 4.3 we know the demand of τ i is maximized when r ( J Ci ) ∈ {− D m − i + C m − i , mod ( e − D m − i , T i ) − T i } .In sum the demand of τ i | L i ≥ m during [0 , e ) is maximized if r ( J Ci ) = − D m − i + C m − i or r ( J Ci ) = mod ( e − D m − i , T i ) − T i or r ( J Ci ) = mod ( e − D mi , T i ) − T i . A.3. Upper Bound of time interval length
For task τ i with L i = m − , we can observe that its demand during [0 , S m ) is upperbounded by ( S m − × C m − i T i + 2) × C m − i . For task τ i with L i ≥ m , its demand during [0 , e ) is upper bounded by C m − i (cid:124) (cid:123)(cid:122) (cid:125) ≥ dbf MM ( J Ci ,S m , e ,m ) + S m − C m − i T i × C m − i (cid:124) (cid:123)(cid:122) (cid:125) ≥ n m − × C m − i + C mi (cid:124)(cid:123)(cid:122)(cid:125) ≥ dbf MM ( J Di ,S m , e ,m ) + e − S m − D mi + T i T i × C mi (cid:124) (cid:123)(cid:122) (cid:125) ≥ n m × C mi = C m − i × S m − C m − i + T i T i + e − S m − D mi + 2 × T i T i × C mi Suppose dbf MM ( τ, S m , e , m ) > e , then it must be that (cid:88) L i ≥ m (cid:32) C m − i × S m − C m − i + T i T i + e − S m − D mi +2 × T i T i × C mi (cid:33) + (cid:88) L i = m − (cid:32) S m + 2 × ( T i − C m − i ) T i (cid:33) × C m − i = S m × (cid:88) L i = m − C m − i T i + (cid:88) L i ≥ m C m − i − C mi T i (cid:124) (cid:123)(cid:122) (cid:125) Exp A + (cid:88) L i = m − T i − C m − i T i × × C m − i (cid:124) (cid:123)(cid:122) (cid:125) Exp B + (cid:88) L i ≥ m × T i − D mi T i × C mi + T i − C m − i T i × C m − i (cid:124) (cid:123)(cid:122) (cid:125) Exp C + (cid:88) L i ≥ m C mi T i × e > e If Exp A > , the total demand is maximized if S m = e , and else if Exp A ≤ ,the total demand is maximized if S m = 0 . Therefore the value of e is bounded by ( Exp B+ Exp C ) / (1 − (cid:80) L i ≥ m C mi T i ) or ( Exp B+ Exp C ) / (1 − (cid:80) L i ≥ m C mi T i − Exp A ) REFERENCES ”ARINC653 - An Avionics Standard for Safe, Partitioned Systems” . Wind River Systems / IEEE Semi-nar.N Audsley. 1991. Optimal Priority Assignment and Feasibility of Static Priority Tasks with Arbitrary StartTimes. In
The University of York Technical Report .S Baruah, V Bonifaci, G D”Angelo, H Li, and A Marchetti-Spaccamela. 2012a. The Preemptive UniprocessorScheduling of Mixed-Criticality Implicit-Deadline Sporadic Task Systems. In
ECRTS .S Baruah, V Bonifaci, G D’Angelo, H Li, A Marchetti-Spaccamela, N Megow, and L Stougie. 2012b. Schedul-ing Real-Time Mixed-Criticality Jobs.
IEEE Transactions on Computers
61, 8 (2012), 1140–1152.Sanjoy Baruah, Vincenzo Bonifaci, Gianlorenzo D’angelo, Haohan Li, Alberto Marchetti-Spaccamela,Suzanne Van Der Ster, and Leen Stougie. 2015. Preemptive Uniprocessor Scheduling of Mixed-Criticality Sporadic Task Systems.
Journal of the ACM (JACM)
62, 2 (2015), 14.S Baruah, V Bonifaci, G D’Angelo, A Marchetti-Spaccamela, S Van Der Ster, and L Stougie. 2011a. Mixed-criticality Scheduling of Sporadic Task Systems. In
Proceedings of the European Symposium on Algo-rithms (ESA) . ACM Transactions on Embedded Computing Systems, Vol. x, No. x, Article x, Publication date: January YYYY. fficient Schedulability Test for Dynamic-Priority Scheduling of MC Real-Time Systems x:25
S Baruah and A Burns. 2011. Implementing Mixed Criticality Systems in Ada. In
Proceedings of the Ada-Europe International Conference on Reliable Software Technologies . 174–188.S Baruah, A Burns, and R Davis. 2011b. Response-Time Analysis for Mixed Criticality Systems. In
RTSS .34–43.S Baruah, H Li, and L Stougie. 2010. Towards the Design of Certifiable Mixed-criticality Systems. In
RTAS .13–22.S Baruah, A Mok, and L Rosier. 1990. Preemptively Scheduling Hard-Real-Time Sporadic Tasks on OneProcessor. In
RTSS . 182–190.S Baruah and S Vestal. 2008. Schedulability Analysis of Sporadic Tasks with Multiple Criticality Specifica-tions. In
ECRTS . 147–155.Iain Bate, Alan Burns, and Robert I Davis. 2015a. A bailout protocol for mixed criticality systems. In
Real-Time Systems (ECRTS), 2015 27th Euromicro Conference on . IEEE, 259–268.Iain Bate, Alan Burns, and Robert I. Davis. 2015b. A Bailout Protocol for Mixed Criticality Systems. In . 259–268.A. Burns, T. Fleming, and S. Baruah. 2015. Cyclic Executives, Multi-core Platforms and Mixed CriticalityApplications. In
Real-Time Systems (ECRTS), 2015 27th Euromicro Conference on . 3–12.Arvind Easwaran. 2013. Demand-based Scheduling of Mixed-Criticality Sporadic Tasks on One Processor.In
RTSS . 78–87.P Ekberg and W Yi. 2012. Bounding and Shaping the Demand of Mixed-Criticality Sporadic Tasks. In
ECRTS . 135–144.Pontus Ekberg and Wang Yi. 2014. Bounding and shaping the demand of generalized mixed-criticality spo-radic task systems.
Real-Time Systems
50, 1 (2014), 48–86.Thomas Fleming. 2013.
Extending mixed criticality scheduling . Ph.D. Dissertation. University of York.Xiaozhe Gu, A. Easwaran, Kieu-My Phan, and Insik Shin. 2015. Resource Efficient Isolation Mechanismsin Mixed-Criticality Scheduling. In
Real-Time Systems (ECRTS), 2015 27th Euromicro Conference on .13–24.Pengcheng Huang, Georgia Giannopoulou, Nikolay Stoimenov, and Lothar Thiele. 2014. Service Adaptionsfor Mixed-Criticality Systems. In
In Proceedings of the Asia and South Pacific Design Automation Con-ference (ASP-DAC) .Pengcheng Huang, Pratyush Kumar, Nikolay Stoimenov, and Lothar Thiele. 2013. Interference ConstraintGraphA new specification for mixed-criticality systems. In
Emerging Technologies & Factory Automation(ETFA), 2013 IEEE 18th Conference on . IEEE, 1–8.H Li and S Baruah. 2010. An Algorithm for Scheduling Certifiable Mixed-Criticality Sporadic Task Systems.In
RTSS . 183–192.Aloysius K Mok. 1983. Fundamental design problems of distributed systems for the hard-real-time environ-ment. (1983).Taeju Park and Soontae Kim. 2011. Dynamic scheduling algorithm and its schedulability analysis for certi-fiable dual-criticality systems. In
Proceedings of the ninth ACM international conference on Embeddedsoftware . ACM, 253–262.Paul J Prisaznuk. 1992. Integrated modular avionics. In
Aerospace and Electronics Conference, 1992. NAE-CON 1992., Proceedings of the IEEE 1992 National . IEEE, 39–45.Peter Puschner and Alan Burns. 2000. Guest Editorial: A Review of Worst-Case Execution-TimeAnalysis.
Real-Time Syst.
18, 2/3 (May 2000), 115–128.John A Stankovic, Marco Spuri, Krithi Ramamritham, and Giorgio C Buttazzo. 1998. Introduction. In
Dead-line Scheduling for Real-Time Systems . Springer, 1–11.Hang Su and Dakai Zhu. 2013. An Elastic Mixed-criticality Task Model and Its Scheduling Algorithm. In
Proceedings of the Conference on Design, Automation and Test in Europe (DATE ’13) . EDA Consortium,San Jose, CA, USA, 147–152. http://dl.acm.org/citation.cfm?id=2485288.2485325S Vestal. 2007. Preemptive Scheduling of Multi-criticality Systems with Varying Degrees of Execution TimeAssurance. In
RTSS .Reinhard Wilhelm, Jakob Engblom, Andreas Ermedahl, Niklas Holsti, Stephan Thesing, David Whalley,Guillem Bernat, Christian Ferdinand, Reinhold Heckmann, Tulika Mitra, Frank Mueller, IsabellePuaut, Peter Puschner, Jan Staschulat, and Per Stenstr¨om. 2008. The Worst-case Execution-time Prob-lem&Mdash;Overview of Methods and Survey of Tools.
ACM Trans. Embed. Comput. Syst.
7, 3, Article36 (May 2008), 53 pages.7, 3, Article36 (May 2008), 53 pages.