Integration of Resource Synchronization and ... - IEEE Xplore

0 downloads 0 Views 1MB Size Report
sume tasks are independent, i.e., they do not share data that need to be protected with synchronization mechanisms like mutexes or semaphores. In this paper ...
2013 IEEE International Conference on Embedded and Real-Time Computing Systems and Applications

Integration of Resource Synchronization and Preemption-Thresholds into EDF-Based Mixed-Criticality Scheduling Algorithm Haibo Zeng McGill University, Canada

Qingling Zhao and Zonghua Gu Zhejiang University, China Abstract-In

mixed-criticality systems, multiple subsystems

with different levels of criticality may co-exist on the same hard­ ware platform. Many scheduling algorithms have been proposed to achieve certification at multiple levels of criticality. However, current MCS algorithms and analysis techniques generally as­ sume tasks are independent, i.e., they do not share data that need to be protected with synchronization mechanisms like mutexes or semaphores. In this paper, we address this limitation by

Stack Resource Protocol (SRP) , Mixed-Criticality-SRP (MC-SRP). Moreover, preemption­

presenting an extension to the called

threshold scheduling is a well-known technique for reducing stack space size and enhance schedulability in resource-constrained embedded systems. We also present the integration of preemption­ thresholds into EDF-based mixed-criticality scheduling (MCS) algorithms, and develop the schedulability analysis methods to such systems.

I. INTRODUCT ION AND RELATED WORK Today's complex embedded systems need to integrate diverse applications with varying levels of importance, or criticality. For example, in the avionics certification standard DO-I78B, there are 5 criticality levels, classified according to the degree of damage caused by failure of the application: catastrophic; hazardous; major; minor; no e ffect. Similarly, in the automotive certification standard ISO 26262, there are 4 criticality levels Automotive Safety-Integrity Level (ASIL) A, B, C and D, with D being the highest criticality level. In order to address system integration challenges of mixed­ criticality systems, Mixed-Criticali ty Scheduling (MCS) has been proposed to achieve strong temporal protection for high­ criticality tasks and efficient utilization of hardware resources, for fixed-priority scheduling [1] and EDF (Earliest Deadline First) scheduling [2]. Current MCS algorithms and analysis techniques generally assume tasks are independent, i.e., they do not share data that need to be protected with synchro­ nization mechanisms like mutexes or semaphores. This is an important limitation that severely restricts the applicability of MCS to realistic applications. In this paper, we address this limitation by presenting extensions to the Stack Resource Pro­ tocol (SRP) [3], a well-known shared-resource synchronization protocol used in the context of EDF scheduling, to make it applicable to MCS. Ekberg et al [2] proposed the dual-deadline model in the context of EDF scheduling, where each task is associated with two deadlines: a low (LO)-criticality mode virtual relative deadline and a high (HI)-criticality mode relative deadline. This model has been shown to outperform the other approaches 978-1-4799-0850-9/13/$31.00 ©2013 IEEE

227

to mixed-criticality scheduling. However, it did not consider resource sharing. An important and useful property of SRP is that each job can be blocked at most once, before it starts running. However, it no longer holds for the dual-deadline model in [2], which may introduce unbounded blocking if the original SRP is directly applied. In this paper, we adapt SRP to the dual-deadline model, and propose Mixed-Criticality-SRP (MC-SRP), along with schedulability test for it. Our protocol ensures that each task is blocked at most once in each (LO or HI-criticality) mode, that is, at most twice in its lifetime, thus providing an upper bound for the worst-case blocking time. We also present integration of preemption threshold scheduling to minimize stack space usage. Wang et al [4] introduced the notion of Preemption Threshold Scheduling (PTS), which allows a task to disable preemption from other tasks up to a certain degree: each task is assigned a threshold priority that is higher than its nominal priority, and only tasks with higher priority than a task's threshold are allowed to preempt it. PTS can be viewed as a technique for controlling the degree of preemption, with fully­ preemptive and fully-non-preemptive scheduling algorithms as special cases. Its benefits include: minimizing the application stack space requirement compared to fully-preemptive schedul­ ing, which is very important for mass-produced, cost-sensitive embedded systems like automotive embedded control systems; and improving schedulability (in certain cases) compared to both preemptive and non-preemptive scheduling. PTS can be supported natively by the RTOS kernel, e.g., ThreadX from Express Logic, or built on top of the existing synchronization mechanisms by introducing pseudo-resources [5]. Although MCS was originally proposed in the context of safety-critical avionics applications, it is also finding its way into the auto­ motive domain, which shares many characteristics and trends with avionics applications. As the automotive industry faces intense cost-cutting pressure in today's competitive market, it is important to minimize hardware costs by adopting cheaper processors with limited hardware (processing and memory) resources. Since PTS can be implemented using pseudo­ resources [5], our extension to SRP also enables integration of PTS with MCS, in order to minimize application task stack usage and improve schedulability in the context of MCS. This can help reduce hardware costs, but it has not been addressed before, perhaps due to the perceived lack of motivation in the avionics domain. Bril et al [6] presented Fixed-Priority Generalized Schedul­ ing (FPGS), a combination of Fixed-priority scheduling

with deferred preemption (FPDS) and Preemption Threshold Scheduling (PTS). In FPDS, each job of a task consists of a sequence of non-preemptive sub-jobs, and preemption is only permitted at preemption points between consecutive sub-jobs. FPGS is a refinement of FPDS with preemption thresholds for both jobs and sub-jobs. It is potential future work to investigate the applicability of FPGS in the context of mixed-criticality scheduling.

Lakshmanan et al [7] presented resource synchronization protocols for Zero-Slack Scheduling (ZSS): PCIP (Priority and Criticality Inheritance Protocol) and PCCP (Priority and Crit­ icality Ceiling Protocol) as extensions to the conventional PIP and PCP for fixed-priority scheduling. ZSS is not designed for achieving safety-certification. It offers asymmetric protection for higher-criticality tasks at the expense of lower-criticality tasks during system overload, but it does not guarantee that all deadlines are met even for tasks at the highest criticali­ ty level. Therefore, synchronization protocols developed for ZSS are not directly applicable to certifiable mixed-criticality scheduling.

This paper is structured as follows: section II introduces terminology and background; section III presents Mixed­ Criticality Stack Resource Protocol (MC-SRP); section IV presents Mixed-Criticality Stack Resource Protocol with Pre­ emption Threshold (MC-SRPT); section VI presents an algo­ rithm for assigning preemption thresholds; section VII presents performance evaluation results; finally, section VIII concludes the paper. II.

TERMINOLOGY AND BACKGROUND

We consider a task set of N mixed-criticality sporadic tasks f {Tl , . . . , T N} . Each task Ti has a tuple of pa­ rameters < Ci (LO) , Ci (H1) , Di , Ti , Li >, where Ci (LO) and Ci (H1) are the task's worst-case execution times in LO- and HI-criticality mode, respectively; Di is its relative deadline; Ti is its period (or minimum inter-release separation time for sporadic tasks). All the above timing parameters are assumed to be non-negative integers. We assume the system is dual-criticality, i.e., there are only two criticality levels HI (high) and LO (low). Thus the criticality level of task Ti is Li E {LO, HI} . We assume constrained deadlines and also make the standard assumptions about the relations between LO- and HI-criticality worst-case execution times: VTi E f, =

Ci (LO)



Ci (H1)



Di



Ti ·

We consider a set of shared resources 91 {PI, . . . , pp} accessed in mutual exclusive way using critical sections. To simplify our presentation, only single-unit resources are considered. We assume that only tasks of the same criticality level can share resources for the sake of isolations of errors to prevent error propagation from non-safety domain to safety domain. The h-th critical section of task Ti is denoted by �i h ((}i h, C;i h) where (}i h E 91 is the resource accessed by the critical section; C;i h is the worst-case execution time of the critical section. =

the presentation of the analysis, we neglect the overhead introduced by the operating system. We define the set of tasks with HI-criticality level as H I (f) {Ti E f I Li HI} and assume the number of tasks in HI(r) is M. Moreover, LO(91) and HI(91) denote the set of resources shared by LO-criticality tasks and resource set shared by HI-criticality tasks, respectively. For compactness of presentation, we define the notation I I . 110 as =

Ilxllo

de! =

=

max(x, 0 ) .

Definition 1 (Carry-over jobs). A job from a HI-criticality task that is active (released, but not finished) at the time of the switch to HI-criticality mode is called a carry-over job. Definition 2 (Mode switch period). The time interval from the time of the switch to HI-criticality mode to the time when all carry-over jobs are finished.

The system can switch back from HI back to LO-criticality mode when the CPU becomes idle, but we do not address it in this paper. We briefly review the Greedy algorithm in [2] using the dual-deadline model. Each task Ti in the mixed-criticality sporadic task set f has a virtual LO-criticality mode relative deadline Di (LO) and a HI-criticality mode relative deadline Di (HI) . Note Di (LO) Di if Li LO and Di (LO) � Di (H1) Di if Li HI. Definition 3 (Demand-bound function). . A demand-bound =

=

=

=

function dbf( Ti , l) gives an upper bound on the maximum possible execution demand of task Ti in any time interval of length t, where demand is calculated as the total amount of required execution time of jobs with their whole scheduling windows within the time interval.

Definition 4 (Supply-bound function) A supply-bound func­ tion sbf(l) , gives a lower-bound on the amount of supplied execution time of the platform in any time window of size t. •

.

We consider a unit-speed, dedicated uniprocessor, with t in this paper.

sbf(l)

=

Proposition 1 ([2]). A mixed-criticality task set f is schedula­ ble by EDF on a platform with supply-bound function sbho in LO-criticality mode and sbf HI in HI-criticality mode ifboth of the following conditions hold: Condition A: Condition B:

VL VL

� �

0, 0,

LTiEr dbfLO (Ti , L) � sbfLO (L) LTiEHI(r) dbfHI (Ti , L) � sbfHI (L)

Demand-bound function dbho ( Ti , L) for task Ti in LO­ criticality mode is:

=

Throughout the paper, we assume that all tasks are sched­ uled based on their absolute deadlines, according to the Earliest Deadline First (EDF) algorithm. Moreover, the initial phases of periodic tasks are arbitrary. Finally, to simplify

228

Demand-bound function dbfHI (Ti , L) for task Ti in HI­ criticality mode is:

e! e(Ti ,L) d=

don

{I

l

Ci (LO) - n + Di (HI) - Di (LO) ' o if Di ( HI ) > n 2: Di (HI ) - Di (LO) 0, otherwise.

Here n is defined as n = L mod Ti . SRP [3]. We briefly review the Stack Resource Protocol (SRP) [3]. Each task Ti is assigned with a dynamic priority 7ri based on EDF, and a static preemption level Ai. Task Ti is not allowed to preempt task Tj unless Ai > Aj. Under the EDF scheduling policy, the static preemption level of Ti is assigned proportional to the inverse of its relative deadline Ai = Such a definition can be easily translated into integer valu�s (refer to the appendix for details). Each resource Pi is assigned a static ceiling equal to the maximum preemption level of any job that may access it: ceil(Pk) =maxi { Ai l Ti needs Pk}. Moreover, a dynamic system ceiling is defined as the high­ est ceiling of all the resources which are held by some job at any time t: IIs =max [ { ceil(kP ) l kp is currently busy} U {O}l. Then, the SRP scheduling rule states that a job is not allowed

�.,

to start executing until its priority is the highest among the active jobs and its preemption level is greater than the system ceiling. SRP ensures that once a task is started, it will never be blocked until completion; it can only be preempted by higher

priority tasks. It may be blocked only once by a lower priority job before it starts running. However, if we use the original SRP in the dual-deadline model, a task can experience un­ bounded blocking, as we will show in the motivating example next. This is undesirable. A. Motivating Example

Consider a mixed-criticality task set, as shown in Table I. Each task has a virtual deadline in the LO-criticality mode besides its absolute deadline. We assume that a task needs to access the related resources during its whole execution time. TABLE l.

Ti

I T2 T

T3 T4

A

MIXED-CRITICALITY TASK SET

rl

Li 9'li

Ti Di(LO) Di(HI) Ci(LO) Ci(HI) 15

6

15

2

HI

20

15

20

2

10

8

10

2

5

5

HI

HI LO

{P2} {p,} {PI, P2}

ec ilLO(dp = max(rA o,fA o) = �, ec ilLO(2P ) = max(fA o,Afo) = �. We can get the pre­ emption levels in the HI-criticality mode as: f A I = �, 15 /\H2 I = 201 ' /\H3 I = 101 ; and the cel Ings f resources In. the 1 HI-criticality mode as ec ilHI(pd = max(A!F,A!F) 10 ' ec ilHI(2p ) =max(HA 1 1,HA3 I) = �. 10

LO-criticality mode as:

\

'1'

,

�(HJ):���I ��-=��� [pi;=] , �-L� + ���t T3(H I) : --1..t�-'---t�...J.Ip� + ...J ....Jl I,p2+.a...----L ..J t �c...� ....L l...� ....L .I... t t � ( LO ) :�, �tJ��������c... � ....L t��� Ll

I

L'

2

o

6

10

8

12

14

16

18 20

Fig. 1 . Multiple blocking: 73 is blocked by both 71 and 72 in the HI-criticality mode. The arrives are depicted with upward arrows, the virtual LO-criticality mode deadlines are depicted with downward dot-dash arrows, and the original deadlines are depicted with downward arrows.

III. MC-SRP

If we use the original SRP directly to the mixed-criticality tasks with double deadlines, we can get the preemption levels in the LO-criticality mode as: fA o = �, rA o = �, 15 6 /\\ LO 3 = 8'1 /\\ LO 4 ="51 ; and the cel'1'Ings 0f resources In. the

\

The timeline is shown in Fig. 1. At time 0, T2 is released. Since there are not any other active tasks and no resource is locked (i.e. IIs =0), T2 starts to execute and locks resource PI immediately; now the system ceiling IIs = ec ilLo(P I) = �. At time 1, Tl,T3,T4 are released simultaneously. Since T4 h�s the earliest LO-criticality mode deadline and its preemption level Afo is higher than IIs, it preempts task T2. At time 2, T4 is finished. Since Tl uses a rather earlier LO-criticality mode deadline than T2 and T3, and Afo > IIs, according to SRP, it starts to execute. Tl locks another resource 2P immediately, so now the system ceiling IIs =max(ec iILo(pd,ceiILo(P2)) = 1 "6' At time 4, the mode switch occurs due to Tl needs to execute more than C1 ( LO ) . After the mode switch, T4 is dropped, and Tl, T2 and T3 use their HI-criticality mode deadlines (i.e. 16, 20, 11) and IIs = max(e c iIH1(pl),ceiIH1(2p )) = �. Since Tl'S and T2'S HI-criticality mode deadlines are later t62n T3'S, and !A F ::; IIs, T3 is blocked. From T3'S point of view, it is blocked by both Tl and T2, which is contradictory to the property of SRP that a job can be blocked only once by one lower priority job. So simply using the original SRP to the mixed-criticality tasks with double deadlines is no longer correct. Ip2 r:;S�itt to H�-cnt�calit� �ot Tl(H I) : , t ,

0

229

We now present MC-SRP, a revised SRP protocol for use with the MC scheduling algorithms with the dual-deadline model. Given a dynamic-priority scheduled mixed-criticality task set (f, II), we can use the preemption level mapping A to transform it into the statically analyzable system(f, A). The LO-criticality mode and HI-criticality mode preemption levels of each task Ti E f are given similarly to SRP: 1 LA O d;f Di (LO) A I d;f Di (1HI ) ' H

Every resource ceiling ceiILo(Pk):

(3)

t

t

kP

E

LO ( ryt ) is assigned with a static

{ Af o l T i I TiEmax LO(r)

l

needs Pk } · (4) 0

Every resource kP E HJ ( ryt ) is assigned with two static ceilings ceilHI(kP ) and ceilLo(Pk). The HI-criticality mode

ceilHI(kP ) is defined as fI I TiEmax p l o· (5) HI(r) p I Ti needs d To avoid unsafe blocking, the LO-criticality mode ceiling ceilLO(kP ) in the MC-SRP is defined such that Ti cannot preempt Tj in LO-criticality mode unless it can also preempt Tj in HI-criticality mode: 'VkP HI('J\) : HI o fI ceilLO(kP ) I TiEmax HI(r) pf lA :s; ceil (kP n l · (6) We define two dynamic system ceilings IIfo and II�I II�o I max{ceilLO(kP )lkp is currently busy} l o· (7) II�I I max{ceilHI(kP )lkp is uc rrently busy} 1 Io- (8) ceiling

E

=

0

and locks resource P2 immediately, then II�I becomes 3. The timeline in the LO-criticality mode is shown in Fig. 3. From Fig. 2 and Fig. 3, we can see each job can be blocked only once in each mode under MC-SRP. SW h to t calit l T1(HI) : , t , , , , 122, , ,

H���i �

Z

T2(HI) : fp] en , , T3(HI) : t I l2u:!2, T4(LO) : h I t Fig. 2.

,

I

, , ,

,

0

I

, , ,

,

2

, ,

6

4

� l�o�e

10

8

12U:!2, t , , 12

,

t

I

t

14

16

MC-SRP: mode switch occurs at time 3 due to task

20

18

T2

=

=

The MC-SRP scheduling rules are defined as follows: In the LO-criticality mode, a job Ti is not allowed to start executing until its LO-criticality mode deadline is the earliest among the active jobs and its LO-criticality mode

A O is greater than the LO-criticality mode IIf J.

preemption level system ceiling

In the HI-criticality mode, all LO-criticality tasks are and a HI-criticality job Ti is not allowed to start executing until its HI-criticality mode (absolute) deadline is the earliest among the active jobs and its HI-criticality mode

T1(HI) : t , I T2(HI) : fp] n T3(HI) : t T4(LO) : h ,

Fig. 3.

2

A I is greater than the HI-criticality mode II� t.

Example 2: we use the same task set as shown in Table I. Now we apply MC-SRP to the task set. Using Equation (3), we can get -]to 3, A�O 1 , AfO 2, Afo 4; A{lI 2, A!jl 1 , A3 I 3. Using (5), we can get ec ilHI(pd 3, ec ilHI(P2) 3. Using (6), we can get =

=

ec ilLO(1P )

=

=

=

3,

ceilLO(2P )

=

=

=

lO2l I

h 6

4

,

10

8

t I h , 12

,

I

t

I

h

14

16

20

18

,

,

,

0



S"Yi h to HI-criticality mode ,

2

4



I"

, , 121,22,

t

6

8

"

"

"

122, t

I

i

10

12U22, t , , 12

I

14

t

16

18

20

=

=

3.

The timeline in the HI-criticality mode is shown in Fig. 2. At time 1, IIfo ceilLO(dp 3. Since T4 has the earliest LO-criticality mode deadline and its preemption level Afo is higher than IIfo, it preempts T2. At time 2, T4 is finished. Although T1 has an earlier LO-criticality mode deadline than T2, it cannot preempt T2 due to fA o, which has a value of 3, is not greater than the LO-criticality mode system ceiling IIfo. Hence, T2 continues to execute. At time 3, the mode switch occurs due to T2 needs to execute more than C2(LO). After the mode switch, T4 is dropped, and T1, T2 and T3 use their HI-criticality mode deadlines (i.e. 16, 20, 11) and II�I max(ec ilHI(pd,ec ilHI(P2)) 3. Since no active tasks' HI-criticality mode preemption level are greater than II�I, T2 continues to execute. At time 4, T2 finishes and unlock resource PI , then II�I O. For T3 has the earliest HI­ criticality mode deadlines among active HI-criticality tasks and A{fI 3 > 0, T3 starts to execute and locks resource PI and P2 immediately, then II�I becomes 3. At time 7, T3 finishes and unlock resource PI and 2P , then II�I O. Now, since T1 has the earliest HI-criticality mode deadlines among active HI-criticality tasks and A{lI 3 > 0, T1 starts to execute =

lO1l

T1(HI) : t 122, T2(HI) : fp] n T3(HI) : t T4(LO) : h

=

n

,

MC-SRP: No extra blocking in the LO-criticality mode

suspended

preemption level system ceiling

tB

I

I

,

0

,

I

,

=

=

=

=

=

=

=

230

Fig. 4.

MC-SRP: mode switch occurs at time 5 due to task

T1

The MC-SRP has the following set of properties. Most importantly, MC-SRP avoids unbounded blocking (Property 3), as demonstrated in Example 2. Property 1: Task Ti is not allowed to preempt task Tj in the LO-criticality mode, unless f A o > A1°; Task Ti is not allowed to preempt task Tj in the HI-criticality mode, unless AfI >

AHI

J

.

Under MC-SRP, a task Ti can only be blocked for at most one critical section in each mode(LO-criticality mode and HI-criticality mode) Proof First, we prove that a HI-criticality task Ti can be blocked at one critical section in LO-criticality mode and one critical section in HI-criticality mode. As seen in FigA, the carry-over job of T3 experienced both blocking from T2 in the LO-criticality mode and blocking from T1 in the HI-criticality mode. Second, we prove that a task Ti can be blocked at most at one critical section in the LO-criticality mode. Suppose that Ti Property 2:

is blocked for the duration of two critical sections shared with two tasks of lower LO-criticality mode preemption level, Tl and T2. Without loss of generality, assume Afo > Afo > A1;.°. This can happen only if Tl and T2 hold two different resources (such as PI and P2 )and T2 is preempted by Tl inside its critical section operating on resource P2 . This immediately yields to a contradiction. In fact, since Tl is not blocked by T2 on resource P2 , we have AfO > ec ilLO(P2). On the other hand, since Ti is blocked by T2 on resource 2P , we have ec ilLO(P2) � Afo. Hence, we obtain that Afo >� Afo, which contradicts the assumption. Finally, we prove that a HI-criticality task Ti can be blocked at most at one critical section in the HI-criticality mode. Suppose that Ti is blocked for the duration of two critical sections shared with two tasks of lower HI-criticality mode preemption level, Tl and T2. Without loss of generality, assume AfI > AfI > A!fI. This can happen only if Tl and T2 hold two different resources (such as PI and P2 )and T2 is preempted by T1 inside its critical section operating on resource P2 . Since Tl is not blocked by T2, we have Afo > ec ilLo(P2) or f A I > ceiIH1(P2). On the other hand, since Ti is blocked by T2 on resource 2P in the HI-criticality mode, we have ec ilHI(P2) � HA I > AfI. As a result, according to the definition of ec il1o(2P ), we can also get ceiILO(2P ) � Afo. This yields to a contradiction. Property 3:Under MC-SRP, while TH with high preemption level that needs shared resources is blocked by a task TL with low preemption level which locks some resource kP , task TM with medium preemption level can not preempt TL. That is, it can avoid multiple priority inversion in each mode and unsafe blocking. Proof Assume TM preempts T while TH is blocked by T L L on Pk. If this case occurs in the LO-criticality mode, we know that A i o < AX? < YP A · Since TH is blocked by TL on Pk. we can get AX? < AYP < ceilLO(kP ). Due to AX? < ec ilLO(kP ), TM cannot preempt T while T holds k P , which contradicts L L the assumption. If this case occurs in the HI-criticality mode, we know that AfI < AHI < AHI. Since TH is blocked by TL on Pk. we can get AljJ < AIf! ::; ec ilHI(kP ). In addition, according to the definition of ceilHI(kP ), we can get Apt ::; ec ilLo(kP ) Therefore, due to Af/ < ceilHI(kP ) and AMO < ec ilLo(kP ), TM cannot preempt TL while TL holds kP , which contradicts the assumption.

IV. MC-SRPT SRPT [5] is based on the observation that the threshold values used in the Preemption Threshold mechanism are very similar to the resource ceilings of SRP. In SRP, when a task accesses a critical section, the system ceiling is raised to the maximum between the current system ceiling and the resource ceiling. In this way, a released task cannot preempt the executing task unless its preemption level is greater than the current system ceiling. Such a mechanism can be thought of as a way to limit preemptability. In the following, we present MC-SRPT (MC-SRP with Thresholds). If we want to make task Ti and task Tj mutually non­ preemptive, we can let them share a pseudo-resource p*. At run time, instances of Ti or Tj will lock *p when they start executing and hold the lock until they finish. 231

If task Ti or task Tj is of LO-criticality, LO-criticality mode ceiling of resource *p is defined as: (9)

If task Ti and task Tj are of HI-criticality, the HI-criticality mode ceiling of resource *p is the maximum between the HI­ criticality mode preemption levels of Ti and Tj, as follows:

(10)

The LO-criticality mode ceiling of resource the same way as Equation(6):

ec ilLO(*p )

=

I I TiEmax HI(r) Pf ol Af

::;

*p is defined in

ceiIHI(*p )} I · 0

(11)

Suppose task Ti needs a set of pseudo-resources ip l' ... ) :P h. When Ti starts execution, it locks all of them: in MC-SRP, this corresponds to: raising the LO-criticality mode system ceiling II�o to maxk ceilLO(:P k) in the LO-criticality mod­ e, which we define as the LO-criticality mode preemption threshold ,fo of task Ti and raising the HI-criticality mode system ceiling II�I to maxk ec ilHI(P:k) in the HI-criticality mode, which is defined as the HI-criticality mode preemption threshold ,fI of task Ti. Each task Ti has a LO-criticality mode preemption threshold ,fo � Afo. Moreover, each HI-criticality task Ti E H ICQ has a HI-criticality mode preemption threshold ,fI � Ai I. MC-SRPT can be thought as an extension of the MC-SRP that adds pseudo-resources compatible with the regular shared resources. It can be easily shown that MC-SRPT retains all the properties of MC-SRP. Moreover, it has properties as: Property 4: Under MC-SRPT, a job can only be blocked be­ fore it starts execution; once started, it can only be preempted by jobs with higher preemption levels. (If a HI-criticality task Tj can block another HI-criticality task Ti in the HI-criticality mode, then Ti and Tj are mutually non-preemptive both in the LO-criticality mode and in the HI-criticality mode. ) Proof Firstly, suppose two tasks Ti and Tj with ,f I � AfI > AfI, and Ti can be blocked by Tj in the HI-criticality mode after it has started execution. This can happen only if Tj preempts Ti in the LO-criticality mode. Since ,JI � Af I, LA, O. And since HA I > )HA I, we can we can get ,""I)LO > also get ,fo � A1°. Therefore, Ti and 'Ti are mutually non­ preemptive in the LO-criticality mode. As a result, Ti cannot be blocked by Tj in the HI-criticality mode after it has started execution. Secondly, suppose two tasks Ti and Tj with ,fo � Afo > A1°, and Ti can be blocked by Tj in the LO-criticality mode after it has started execution. This can happen only if Ti preempts Tj or d preempts Ti in the LO-criticality mode. However, since ,f � Afo > A1°, Ti and Ti are mutually non-preemptive in the LO-criticality mode. Therefore, a job can only be blocked before it starts execution, once started, it can only be preempted by jobs with higher preemption level. Property 5: Under MC-SRPT, if a HI-criticality task Ti is non-preemptive by a HI-criticality task Tj in the HI-criticality mode, Ti is non-preemptive by Tj in the LO-criticality mode when Ti has started to execute. Therefore, it can avoid un­ bounded blocking during the mode switch period.

Proof Suppose Ti is non-preemptive by Tj in the HI­ criticality mode, but Ti is preemptive by Tj in the LO-criticality mode when Ti has started to execute, that is, ,fI � >..HI and to the definition of ,fo, we ,fo < f>.. o. However, according ", > H H LO I I ' which is contradicts the . >. if can get ","LO> . >. J J " assumption.

Example 3: Consider the mixed-criticality task set in Table II, which is similar to that in Table I except for resources. Using equation (3), we can get t >.. o 3, >..�o 1 , >..fo 2, ,f>.. 0 4; f>.. I 2, !>.. F 1 , >"3 I 3. To make Tl and T 3 =

=

=

L

Ti Tl T2 T3

T4

A

LO

Di (

HI

)

Di (

HI

15

6

HI

20

15

20

2

10

2

HI

10

8

LO

5

5

)

MIXED-CRITICALITY TASK SET

Ti

i

=

=

=

TABLE II.

=

15

Ci ( 2

LO

)

Ci (

['3 )

=

=

=

=

ec ilLO(pn 3, ,�o ec ilLO(pi) 3, max ( ceu'io(ip ),ec ilLO(ip )) 3, ,,f0 .>.,f0 ec il HI(p�) 3, ,fF ec ilHI(pi) 3, max(ec il'HI(]'p ),ec ilHI(ip )) 3. =

=

=

=

=







I I I I I I

2

I I

4

,

!

t

6

10

8

t t

t

! ,

!

12

t

14

16

18

20

=

=

4;

Fig. 5 .

MC-SRPT: No multiple blocking in the HI-criticality mode

V.

SCHEDULAB ILI T Y ANALYSIS

For a mixed-criticality system, we need to check three con­ ditions to verify schedulability of a task set: 1) schedulability in LO-criticality mode; 2) schedulability in the HI-criticality mode; and 3) schedulability during mode-switch period. A. Schedulability analysis in LO-criticality mode

=

=

=

MC-SRPT works as follows (see Fig. 5, which is similar to Fig. (2) except for resources): •

t

I

I

=

=

I

0

=

=

Z

: T 2(HI) : h en T 3(HI) : t I T 4(LO) : h I Tl (HI)



SW h to H�-c�it�ca it� �o�e t , I , I

I

=

=

At time 7, task T 3 finishes, and the system ceiling II�I returns to O. At this point, task Tl can start running. The system ceiling II�I is raised to ,fl.



I

HI

mutually non-preemptive, we introduce pseudo-resource pi. When Tl (or T 3) starts running, it immediately locks ip , and holds the lock until it ends. The HI-criticality mode ceiling of pi is ec ilHI(ip ) max(H>.. I,§l>.. I) 3; the LO-criticality mode ceiling of pi is ec il£(\ip ) max(>..fo,�>.. o,f>.. O) 3. Similarly, we introduce pseudo-resource r{j to make T 2 and 3 and T 3 mutually non-preemptive, and get ceil I(ip ) ec ilLO(ip ) 3. By definition of preemption threshold,

,LO }o }n ,fI

At time 4, task T 2 finishes, and the system ceiling II�I returns to O. At this point, task T 3 can start running. The system ceiling II�I is raised to ,iII.



Initially, the system is in the LO-criticality mode and the system ceiling II�o is O. At time 0, task T 2 is activated and starts executing. The system ceiling II�o is equal to ,�o. At time 1, task Tl , T 3, T 4 arrive. T 4 has the earliest LO-criticality mode deadline, and its LO-criticality mode preemption level ,f>.. 0 is higher than the current system ceiling II�o. Hence, according to MC-SRPT, T 4 preempts T 2.

At time 2, task T 4 is finished. Although Tl has the earliest LO-criticality mode deadline among the active tasks, it cannot start runnin8, since its LO-criticality mode preemption level L>.. is not higher than the current system ceiling II�O. Hence, according to MC­ SRPT, T 2 continues to execute. At time 3, task T 2 has run for C 2(LO) without signaling completion, causing a system-wide mode switch to the HI-criticality mode according to [1]. Hence, by MC-SRPT, T 4 is dropped, and Tl , T 2, T1 3 begin to use their HI-criticality mode deadlines, and the system ceiling II�I is equal to ,!p. At this point, even though T 3 has the earliest HI-criticality mode deadline, its HI-criticality mode preemption level §l >.. I is not higher than the current system ceiling II�I, so it is blocked, and T 2 continues to run.

232

While the system is in LO-criticality mode, each task Ti behaves as a normal sporadic task with parameters Ci (LO), Di (LO) and Ti . We follow the analysis in [8]. First, we calculate the maximum blocking time BrLO (L) that can be experienced by Ti E r inside a busy period of length L in the LO-criticality mode, since its LO-criticality mode preemption level is no greater than the LO-criticality mode ceiling of some resource:

BrLO(L)

=

I maxh ({C;jh V'

,

J,

> (L + l)

-

1 I Di (LO)

:s;

L

1\

ec ilLO(j(] h) � f.>. O})llo (12) The maximum blocking time BpLO (L) that can be expe­ Dj (LO)

1\

rienced by any task Ti E r inside a busy period of length L due to the preemption threshold settings is:

BpLO(L)

=

I �i�J ({Cj (LO) - 1 I Di (LO)

Dj (LO)

> (L + l)

1\

:s;

L

1\

,fo � f>.. O})llo

(13)

The maximum blocking time BLO(L) which denotes the maximum blocking time experienced by r inside a busy period of length L in the LO-criticality mode is defined as: A sufficient schedulability condition in LO-criticality mode is known from [8]:

Theorem 1. The following condition is sufficient for guar­ anteeing that f is schedulable under EDF+MC-SRPT in the LO-criticality mode:

VL E d LO : B LO (L) N SLACK LO (L) = L - L k =l Here d LO denotes the set of

:s:

SLACK LO (L) , where

HI

(l L - Dk (LO) J + 1 ) Ck (LO) Tk

(

and

)

B. Schedulability analysis in HI-criticality mode

The schedulability condition in HI-criticality mode is sim­ ilar to that of LO-criticality mode. When all carry-over jobs have completed, and the system is in HI-criticality mode, each task Ti E HI (r) behaves as a normal sporadic task with parameters Ci (HI) , Di (HI) and Ti . The maximum blocking time B rH I (L) which denotes the maximum blocking time that can be experienced by any task Ti E H I(f) inside a busy period of length L in the HI-criticality mode due to its HI­ criticality mode preemption level is not greater than the HI­ criticality mode ceiling of some resources is defined as follows [8]:

( I 'h,JEmax HI(r),Vh {C;jh - 1 1 Di (HI):S: L ec ilHI(je h)�AfI } )l o Dj (HI»(L + l )

B rHI (L) =

. .

/\

/\

(15)

The maximum blocking time B pHI (L) which denotes the maximum blocking time that can be experienced by any task Ti E H I(f) inside a busy period of length L in the HI­ criticality mode due to its HI-criticality mode preemption level is not greater than the preemption threshold of tasks with lower HI-criticality mode preemption level is defined as follows:

I

({Cj (HI) - 1 1 Di (HI) :s: L Dj (HI)> (L + l ) "tfII �AfI } ) l o

B pHI (L) = �i�f

t

E

dHI : B HI (L) :s: SLACK HI (L)

233

I

_

_

Switch to , HI-criticality mode

r

, ' , \',t*

,



UHI H UI

, ' , ,'t ,

' i r+ Di (LO)

--I ---+l

1=

)

,

r+ Di (HI)

L - (Di (HI) - Di (LO ) )

Fig. 6. A carry-over job o f Ti has a remaining scheduling window of length L after the switch to HI-criticality. Here the switch happens before the job's LO-criticality deadline.

The schedu­

Theorem 2. The following condition is sufficient for guaran­ teeing that HI(r) is schedulable under EDF+MC-SRP T in the steady HI-criticality mode:

VL

(

Assume tasks are schedulable in both the LO-criticality mode and HI-criticality mode. To check schedulability during the �ode switch period, we need to make sure all the carry­ over Jobs are schedulable during the mode switch period. Let t* denote the time-instant at which HI-criticality behavior is first flagged (i.e., the first instant at which some job executes for more than its LO-criticality worst-case execution time without signaling that it has completed execution). Suppose some task misses its deadline during the mode switch period. Let t be the first time instant when such a deadline miss occurs, and the job is from Ti . We denote L = t - t*. There can be at most on� j�b with deadline> t that executes in the interval [t*, t] . ThIS IS a blocking job since it delays the execution of some job with earlier deadline. No job released after t* and with deadline> t - t* could execute in [t*, tJ , because the carry­ over job from Ti is already released before t* and with absolute deadline = t. Thus, the blocking job from Tj that executes in the interval [t*, t] must be released before t*. Hence, it is a carry-over job with relative deadline Dj (H I) > t - t*. 1) Blocking Function: As seen in Fig. 6, the maximum blocking time B pf1C (L) that a HI-criticality task Ti E HI(r) can experience with the MC-SRPT during the the scheduling window [t*, t] due to preemption thresholds is defined in the following cases:

• m.

) Ck (HI)

C. Schedulability analysis during mode switch period

(16)

The maximum blocking time B H I (L) which denotes the na � �imum blocki?g tin�e that can be experienced by HI (f) Inside a busy penod of length L in the HI-criticality mode is defined as: Assume the number of tasks in H I(r) is lability test is known from [8]:

Tk

k =l

UHI " UHI

/\

/\

M

L (l L - Dk (HI) J + I

"' M l (Tt D t (HI) ) Ut HI H x ' L..n= H and max D ma 1 where D ::'�x = max{D1 (HI) , . . . , D M (HI) } , = t M Ci (HI) = � t . and Tt i=1 .

hyperperlOd

LOx ' Li-l (Ti - Di (LO) ) U PO ' max D ma 1- U LO where D *,�x = max{D1 (LO) , . . . , D N (LO) } , Ut LO = N Ci (LO) " LO and U = � Ut LO. Tt i =l H

SLACK HI (L) = L -

(18) . where d IS the set of all absolute deadlines no greater than a certain point in time, given by the minimum between the

all absolute deadlines no greater than a certain time instant, given bJv the minimum of the hy-

perperiod

with

If L < Di (HI) - Di (LO ) , the start of the mode switch period t is after the deadline of Ti in LO­ criticality mode, then the maximum blocking time B pf1C (L) =



O.

(Di (HI) - Di (LO ) ) :s: L < Ci (LO) + (Di (HI) Di (LO ) ) . Since the carry-over job of Ti would

have met its deadline in LO-criticality mode if the switch had not happened, there can be at most I =

L - (Di (HI) - Di (LO ) ) time units left of its LO­ criticality execution demand Ci (LO) at the time of

the switch. The job must therefore have executed for at least Ci (LO) - l time units before the switch. According to the property 4 of MC-SRPT, Ti cannot be blocked after it starts execution, so B pr c (L) 0. =





If L?: Ci (LO)+(Di (HI) - Di (LO) ) , the carry-over job of Ti may not have started execution at time t. In this case, if Ti has the highest HI-criticality preemption level, the maximum blocking time B pr c (L) must be due to a task Tj with lower HI-criticality preemption level which incurs the mode switch. Since Tj is non­ preemptive by Ti (with highest preemption level in HI­ criticality mode), it is non-preemptive by other tasks in HI-criticality mode. By Property 5 of MC-SRPT, Tj is also non-preemptive by any other HI-criticality task in the LO-criticality mode when it has started. The maximum blocking time B prC (L) that Ti can experience during the scheduling window of [t*, t] is from the blocking task Tj with (Dj (H I) > L) and the maximum (Cj (HI) - Cj (LO ) ) . If L ?: Ci (LO) + (Di (HI) - Di (LO ) ) and HI­ criticality mode preemption level of Ti is not the highest, the mode switch may be incurred by task Tk with higher HI-criticality mode preemption level than Ti, which preempts the carry-over job from Tj that can block Ti when Tj has executed for 1 time unit in the LO-criticality mode. So the maximum blocking time B prC (L) that Ti can experience during the scheduling window of [t*, t] is from the blocking task Tj with Dj (HI) > L and the maximum Cj (HI) .

Summarizing the above cases, we have

0, if l < Ci (LO); max{Cj (HI) - Cj (LO) < :s; 1\ Dj (HI) - 1> L} if l?: Ci (LO) 1\ is the highest; {Cj (HI) < :s; 1\ Dj (HI) - 1> L } , otherwise.

I VJI

B M C (L)

AfII ,fI

=

Theorem 3. The maximum length of the mode switch period is D;;'{.x (Di (HI) ). It is sufficient for guar­ anteeing that HJ(f) is schedulable under EDF+MC-SRPT in the switch-mode: \10 :s; L :s; D;;'{.x' =

1\

maxTiEHI(r)

B M C (L) +

L

TkEHI(r)

dbfHI (Tk , L):S; L

where B M C (L) is defined in Equation(2l), and is the same with Equation(2).

(22)

dbfHI (Tk , L)

Example 4: Applying the schedulability test during the mode switch (Equation (22)) to Example 3, we can get the maximum length of the mode-switch period as D;;,�x 20 . •

0. No job can fit in the If L 1 , B M C (L) scheduling window of [0, L] ; 0. Only the carry-over job If L 2, B M C (L) of T3 can fit in the scheduling window of [0, LJ , and

(19)



=

=

=

=

B tIC (L)

if L:S; (Di (HI) - Di (LO) ;

fA I

(21)

t

=

=

0;

If 3:S; L:S; 4, B M C (L) 1 . Only the carry-over job from T3 can fit in the scheduling window of [0, LJ , since T3 has the highest preemption level in the HI­ criticality mode, the job that blocked T3 during the mode switch must be the job that caused the mode switch, so the maximum blocking time is B tIC (L) =

=

1.

=

B rr c (L)

max )� (B M C (L) ) Di(HI)-D.i( LO L

The demand-bound function dbfHI (Ti , L) for task Ti, which upper-bounds the maximum execution demand of jobs from Ti inside the interval [t*, t] of length L is defined in Equation (2). The maximum length of the mode switch period is the maximum HI-criticality mode relative deadline, that is, D;;'{.x maxTiEHI(r) (Di (HI) ) , so t :s; D;;'{.x· Summing the cumulative demand of all jobs over [t*, tJ , we get B M C (L) + LTkEH (r) dbfHI (Tk , L) > L. Taking the contrapositive, we get theI following theorem.



The maximum blocking time B rrC (L) that a HI­ criticality task Ti E HJ (r) can experience with the MC­ SRPT during the scheduling window [t*, t] of length L due to resources is defined as (l L - (Di (HI) - Di (LO) )):

{O'max{ L } , otherwise.

If 5 :s; L:S; 8, B M C (L) 1 . Only the carry-over jobs from T3 and T2 can fit in the scheduling window of [0, L], since T2 has the lowest preemption level in the HI-criticality mode,BaMC (L) 0, so the maximum blocking time is B tI (L) 1 . =

=

=

The maximum blocking time B fIC (L) that can be expe­ rienced by a HI-criticality task Ti E H J(r) in the scheduling window [t*, t] of length L during the mode switch period:

234



1 . Besides the carry­ If 9 :s; L :s; 10, B M C (L) over jobs from T3 and T2, the carry-over job from T1 can fit in the scheduling window of [0, L] . If the carry-over job from T1 can fit in [0, LJ, it must have started running sometime before the switch, otherwise it would have missed its deadline in the LO-criticality =

mode. Therefore, no job can block the carry-over job from Tl within [0, L] during the mode switch, so the maximum blocking time is BfIC (L) 1 . =

If 1 1

L 2,BrC (L)



:s;

:s;

=

2. Since BfIC (L) 18, B M C (L) O,BfIC (L) 1 =

=

=

=

blocking time is O. VI.

MINIMIZING STACK MEMORY SIZE

Tasks in H l( r ) are ordered by increasing HI-criticality mode preemption levels; tasks in r are ordered by increas­ ing LO-criticality mode preemption levels. Initially each task is assigned the identity preemption thresholds (i.e.'Yfo A fo , 'Yf I Af I ). In this algorithm, the HI-criticality mode preemption thresholds of HI-criticality tasks are first assigned, from tasks with the highest HI-criticality mode preemption level to tasks with the lowest HI-criticality mode preemption level; then the LO-criticality mode preemption thresholds of tasks are assigned from tasks with the highest LO-criticality mode preemption level to tasks with the lowest LO-criticality mode preemption level. =

=

Procedure HI (r).getTaskHI('Yf I ) returns the task with HI-criticality mode preemption level equal to the cur­ rent HI-criticali2' mode preemption threshold of Ti , and r.getTaskLO('Yf ) returns the task with LO-criticality mode preemption level equal to the current LO-criticality mode pre­ emption threshold of Ti ; adjustPTLO(Ti) sets the LO-criticality mode preemption threshold of Ti according to 'Yf I using E­ quation (11) ; procedures isSchedulableHI(), isSchedulableLO() and isSchedulableSM() check schedulability of the task set in the HI-criticality mode, LO-criticality mode and during the mode switch period, respectively. To reduce the complexity of the procedures isSchedulableHl() and isSchedulableLO() , we use the following techniques: since Jrdk } and { SL A C K (dk ) } are fixed for the task sets r L O and r I , which are independent of preemption threshold assignment iJ! , we record them. Every time when the preemption threshold 'Yi of Ti is increased to the preemption level Aj of Tj , we only need to check dk E {dk I Di > dk ?: Dj } (because this preemption threshold change may only affect the maximum blocking time of these dk ) · If Vdk E {dk I Di > dk ?: Dj } , B (d k ) :s; SLACK (dk ) , the task set is schedulable (in fact we only need to check {dk I Di > d k

?:

Dj } , Ci

:s;

=

\{I I

tasks in the HI-Criticality mode *1

2 : foreach Ti E HI (r) do 3: schedulable TR UE 4: 5: 6:

while (schedulable

'Ylu 'YfI + 'Y_old 'Yfo =

==

TRUE

and

'Ylu


d;t/)

do

=

1* Check schedulability in steady HI-criticality mode*1

7: 8: 9:

=

E

\{I

1* First, assign the preemption thresholds o f HI-criticality

Tj HI(r) .getTaskH1bfI ) schedulable isSchedulableHI(Di (Hl) , Dj (Hl) =

=

1* Check schedulability in LO-criticality mode*1

Up to now we have assumed that task preemption thresh­ olds are given as problem input, and addressed task schedu­ lability issues. In this section, we present the Preemption Threshold Assignment Algorithm (PTAA) [9] , as shown in Algorithm 1. PTAA was shown to be optimal with respec­ t to stack usage (with the assumption of a given priority assignment) [9] . Given r, a mixed-criticality sporadic task set r { (Li , Ci (LO ) , Ci (Hl) , Di (LO) , Di (H Q , Ti) 1 1 :s; i :s; N } , and preemption levels A fo and Af have been already assigned to each task Ti as explained earlier for dynamic-priority schemes, PTAA finds preemption threshold assignments iJ! H I and iJ! L O for each task in r.

Vdk

1:

=

If 1 9 :s; L :s; 20, B M C (L) O. No task Ti satisfies Di (Hl) - 1 > L, hence there is no blocking job in the scheduling window of [0, LJ , so the maximum



PTAA(HI(r), r , rr)

Algorithm 1

I*initialize preemption threshold to identity assignment*1

SLACK (d k )).

235

if

(schedulable TRUE) then 'Yfo according to Eqn. ( l l ) *1 'Yfo adjustPTLO(Ti ) Tk r .getTaskLO bfO ) schedulable isSchedulableLO (Di (LO) , Dk (LO) ) ==

1* Adjust

10: 11: 12: 13

=

=

=

end if 1* Check schedulability during mode switch*1

14: 15: 16: 17: 18:

if

(schedulable schedulable

T RU E) then isSchedulableSMO

==

=

end if if

(schedulable 'Yfo 'Y_old 'Y f I 'Y f I

==

FALSE)

then

=

19: end if 20: 21: end while 22: end for

=

-

1

1* Assign task preemption thresholds in LO-criticality mode *1

2 3 : foreach Ti E r do 24: schedulable T RU E =

25: 26:

while (schedulable

'Yfo

=

'Yfo

==

T RU E

and

'Yfo

+ 1


-kP)

do

1* Check the schedulability in the LO-criticality mode*1

27 : 28: 29:

Tj r .getTaskLO bfO ) schedulable isSchedulableLO (Di (LO) , Dj (LO» i f (schedulable FALSE) then 'Yfo 'Yfo 1 =

=

==

30: 31: end if 32: end while 3 3 : end for 34: return \{I

=

-

VII. PERFORMANCE EVALUATION We focus on stack size reduction for performance evaluation, and define the stack save ratio n Cr) for taskset r as the optImIzation objective: ST ACKMc - SRPT (r) n cr) (1 ) x 100%, where ST ACKgreedy-EDF ST ACKgreedy -EDF and ST A CKM -SRPT are the total stack size requirement for GreedyC and our proposed MC-SRPT, respectively. We use randomly-generated synthetic task sets for per­ formance evaluation. Task set generation is controlled by two parameters: number of tasks N, and the LO-criticality system utilization UL O . Each new task Ti is generated as follows: Li HI with probability PH I 0.5; LO-criticality mode utilization (UFo Ci (LO) /Ti) is generated using the UUnifast algorithm [10] , giving an unbiased distribution of utilization values. The LO-criticality execution time Ci (LO) Ui (LO ) /Ti ; Ti is generated according to a log-uniform distri=

=

=

=

60

[2]

P. Ekberg and W. Yi, "Outstanding paper award: Bounding and shaping the demand of mixed-criticality sporadic tasks," in ECRTS, R. Davis, Ed. IEEE Computer Society, 20 1 2 , pp. 1 35-144.

[3]

30 20 10

N�5 l-_-NllO i _ Nb15 0.5 0.55 0. 6 0. 6 5 0.7 0.75 0.8 0.85 0.9 j

t

...

T. P. B aker, "Stack-based scheduling of realtime processes," Real-Time 3, no. I, pp. 67-99, 1 9 9 1 .

Systems, vol.

[4]

Y. Wang and M . Saksena, "Scheduling fixed-priority tasks with preemption threshold," in RTCSA. IEEE Computer Society, 1 999, pp. 328-.

[5]

P. Gai, G. Lipari, and M. D. Natale, "Minimizing memory utilization of real-time task sets in single and multi-processor systems-on-a-chip," in RTSS. IEEE Computer Society, 200 1 , pp. 73-83.

)(o • •

[6]

R. J. Bril, M. M. H. P. van den Heuvel, U. Keskin, and J. J. Lukkien, "Generalized fixed-priority scheduling with limited preemptions," in ECRTS, R. Davis, Ed. IEEE Computer Society, 20 1 2 , pp. 209-220.

[7]

K. Lakshmanan, D. de Niz, and R. Rajkumar, "Mixed-criticality task synchronization in zero-slack scheduling," in IEEE Real-Time and Embedded Technology and Applications Symposium. IEEE Computer Society, 20 1 1 , pp. 47-56.

[8]

S. K. B aruah, "Resource sharing in edf-scheduled systems: A closer look," in RTSS. IEEE Computer Society, 2006, pp. 379-3 87.

[9]

R. Ghattas and A. G. Dean, "Preemption threshold scheduling: Stack optimality, enhancements and analysis," in IEEE Real-Time and Embed­ ded Technology and Applications Symposium. IEEE Computer Society, 2007, pp. 1 47-1 57.

[ 1 0]

E. B ini and G. C. Buttazzo, "Measuring the performance of schedula­ bility tests," Real- Time Systems, vol. 30, no. 1 -2, pp. 1 29-1 54, 2005.

!,.

Taskset CPU Utilizatio n U LO

Fig. 7.

Stack size reduction for MC-SRPT compared to Greedy

bution with a factor of 100 difference between the minimum and maximum possible task period. This represents a spread of task periods from lOms to 1 second; Task deadlines Di were set equal to its period Ti ;Gi (H1) is drawn form the uniform distribution over [Gi (LO) , 2 · Gi (LO)] if Li HI. Otherwise, Gi (HI) Gi (LO ) ; Maximum stack size of task Ti , Si , is chosen from a uniform distribution between 20 and 120 units. We consider task sets with the number of tasks N 5 , 10, 15. For each N, and each LO-criticality mode CPU utilization U LO (r) from 50% to 90%, with increment gran­ ularity of 1 %. 1000 task sets are randomly generated for each U LO (r) , resulting in a total of 41000 task sets for each N. All of them are schedulable with Greedy without shared resources and fully-preemptive scheduling. For each taskset, we use PTAA (Algorithm 1) to find the preemption threshold assignments iJ! H I and iJ! LO for r. Figure 7 indicates that MC-SRPT can achieve significant reduction in stack size, especially for larger task set size. For example, it saves 50% - 55% of the stack space compared with Greedy when N 15.

[II]

R. Davis, Ed., 24th Euromicro Conference on Real- Time Systems, l l -I3, 201 2 . IEEE Computer Society,

ECRTS 2012, Pisa, Italy, July

2012.

=

=

=

=

VIII. CONCLUSIONS In this paper, we propose the integration of the data synchronization protocol SRP and preemption thresholds in­ to mixed criticality systems, as well as their schedulability analysis techniques. The proposed framework is shown to be effective in reducing system stack space. For future work, we plan to address other EDF-scheduled mixed-criticality task model with dual-deadline model. IX. ACKNOWLEDGMENTS This work is partly supported by NSFC Project #61070002 and NSERC Discovery Grant RGPIN 418741-12. REFER ENCES

[I]

S. K. Baruah and G. Fohler. "Certification-cognizant time-triggered scheduling of mixed-criticality systems," in RTSS. IEEE Computer Society, 201 1 , pp. 3-12.

236

ApPENDIX

A. Transforming Preemption Levels to Integers

Let tasks in r {T1 ' T2 , . . . , TN } be ordered by decreasing relative deadlines in LO-criticality mode.To make .>.fo have an integer value, we define the LO-criticality mode preemption level .>.fo of each task Ti as: =

.>.f

O

=

if

1 if i > 1 and Di (LO) Di - 1 (LO) + if i > 1 and Di (LO) < Di - 1 (LO) . i

{I,.>.f�, .>.f�

=

=

I,

(23) Let tasks in HI (r) {T1 ' T2 , . . . , TM } be ordered by decreasing relative deadlines in HI-criticality mode.To make .>.fI have an integer value, we define the HI-criticality mode preemption level .>.f I of each task Ti E HI (r) in the same way with .>.fo: =