sume tasks are independent, i.e., they do not share data that need to be protected with synchronization mechanisms like mutexes or semaphores. In this paper ...
2013 IEEE International Conference on Embedded and RealTime Computing Systems and Applications
Integration of Resource Synchronization and PreemptionThresholds into EDFBased MixedCriticality Scheduling Algorithm Haibo Zeng McGill University, Canada
Qingling Zhao and Zonghua Gu Zhejiang University, China AbstractIn
mixedcriticality systems, multiple subsystems
with different levels of criticality may coexist on the same hard ware platform. Many scheduling algorithms have been proposed to achieve certification at multiple levels of criticality. However, current MCS algorithms and analysis techniques generally as sume tasks are independent, i.e., they do not share data that need to be protected with synchronization mechanisms like mutexes or semaphores. In this paper, we address this limitation by
Stack Resource Protocol (SRP) , MixedCriticalitySRP (MCSRP). Moreover, preemption
presenting an extension to the called
threshold scheduling is a wellknown technique for reducing stack space size and enhance schedulability in resourceconstrained embedded systems. We also present the integration of preemption thresholds into EDFbased mixedcriticality scheduling (MCS) algorithms, and develop the schedulability analysis methods to such systems.
I. INTRODUCT ION AND RELATED WORK Today's complex embedded systems need to integrate diverse applications with varying levels of importance, or criticality. For example, in the avionics certification standard DOI78B, there are 5 criticality levels, classified according to the degree of damage caused by failure of the application: catastrophic; hazardous; major; minor; no e ffect. Similarly, in the automotive certification standard ISO 26262, there are 4 criticality levels Automotive SafetyIntegrity Level (ASIL) A, B, C and D, with D being the highest criticality level. In order to address system integration challenges of mixed criticality systems, MixedCriticali ty Scheduling (MCS) has been proposed to achieve strong temporal protection for high criticality tasks and efficient utilization of hardware resources, for fixedpriority scheduling [1] and EDF (Earliest Deadline First) scheduling [2]. Current MCS algorithms and analysis techniques generally assume tasks are independent, i.e., they do not share data that need to be protected with synchro nization mechanisms like mutexes or semaphores. This is an important limitation that severely restricts the applicability of MCS to realistic applications. In this paper, we address this limitation by presenting extensions to the Stack Resource Pro tocol (SRP) [3], a wellknown sharedresource synchronization protocol used in the context of EDF scheduling, to make it applicable to MCS. Ekberg et al [2] proposed the dualdeadline model in the context of EDF scheduling, where each task is associated with two deadlines: a low (LO)criticality mode virtual relative deadline and a high (HI)criticality mode relative deadline. This model has been shown to outperform the other approaches 9781479908509/13/$31.00 ©2013 IEEE
227
to mixedcriticality scheduling. However, it did not consider resource sharing. An important and useful property of SRP is that each job can be blocked at most once, before it starts running. However, it no longer holds for the dualdeadline model in [2], which may introduce unbounded blocking if the original SRP is directly applied. In this paper, we adapt SRP to the dualdeadline model, and propose MixedCriticalitySRP (MCSRP), along with schedulability test for it. Our protocol ensures that each task is blocked at most once in each (LO or HIcriticality) mode, that is, at most twice in its lifetime, thus providing an upper bound for the worstcase blocking time. We also present integration of preemption threshold scheduling to minimize stack space usage. Wang et al [4] introduced the notion of Preemption Threshold Scheduling (PTS), which allows a task to disable preemption from other tasks up to a certain degree: each task is assigned a threshold priority that is higher than its nominal priority, and only tasks with higher priority than a task's threshold are allowed to preempt it. PTS can be viewed as a technique for controlling the degree of preemption, with fully preemptive and fullynonpreemptive scheduling algorithms as special cases. Its benefits include: minimizing the application stack space requirement compared to fullypreemptive schedul ing, which is very important for massproduced, costsensitive embedded systems like automotive embedded control systems; and improving schedulability (in certain cases) compared to both preemptive and nonpreemptive scheduling. PTS can be supported natively by the RTOS kernel, e.g., ThreadX from Express Logic, or built on top of the existing synchronization mechanisms by introducing pseudoresources [5]. Although MCS was originally proposed in the context of safetycritical avionics applications, it is also finding its way into the auto motive domain, which shares many characteristics and trends with avionics applications. As the automotive industry faces intense costcutting pressure in today's competitive market, it is important to minimize hardware costs by adopting cheaper processors with limited hardware (processing and memory) resources. Since PTS can be implemented using pseudo resources [5], our extension to SRP also enables integration of PTS with MCS, in order to minimize application task stack usage and improve schedulability in the context of MCS. This can help reduce hardware costs, but it has not been addressed before, perhaps due to the perceived lack of motivation in the avionics domain. Bril et al [6] presented FixedPriority Generalized Schedul ing (FPGS), a combination of Fixedpriority scheduling
with deferred preemption (FPDS) and Preemption Threshold Scheduling (PTS). In FPDS, each job of a task consists of a sequence of nonpreemptive subjobs, and preemption is only permitted at preemption points between consecutive subjobs. FPGS is a refinement of FPDS with preemption thresholds for both jobs and subjobs. It is potential future work to investigate the applicability of FPGS in the context of mixedcriticality scheduling.
Lakshmanan et al [7] presented resource synchronization protocols for ZeroSlack Scheduling (ZSS): PCIP (Priority and Criticality Inheritance Protocol) and PCCP (Priority and Crit icality Ceiling Protocol) as extensions to the conventional PIP and PCP for fixedpriority scheduling. ZSS is not designed for achieving safetycertification. It offers asymmetric protection for highercriticality tasks at the expense of lowercriticality tasks during system overload, but it does not guarantee that all deadlines are met even for tasks at the highest criticali ty level. Therefore, synchronization protocols developed for ZSS are not directly applicable to certifiable mixedcriticality scheduling.
This paper is structured as follows: section II introduces terminology and background; section III presents Mixed Criticality Stack Resource Protocol (MCSRP); section IV presents MixedCriticality Stack Resource Protocol with Pre emption Threshold (MCSRPT); section VI presents an algo rithm for assigning preemption thresholds; section VII presents performance evaluation results; finally, section VIII concludes the paper. II.
TERMINOLOGY AND BACKGROUND
We consider a task set of N mixedcriticality sporadic tasks f {Tl , . . . , T N} . Each task Ti has a tuple of pa rameters < Ci (LO) , Ci (H1) , Di , Ti , Li >, where Ci (LO) and Ci (H1) are the task's worstcase execution times in LO and HIcriticality mode, respectively; Di is its relative deadline; Ti is its period (or minimum interrelease separation time for sporadic tasks). All the above timing parameters are assumed to be nonnegative integers. We assume the system is dualcriticality, i.e., there are only two criticality levels HI (high) and LO (low). Thus the criticality level of task Ti is Li E {LO, HI} . We assume constrained deadlines and also make the standard assumptions about the relations between LO and HIcriticality worstcase execution times: VTi E f, =
Ci (LO)
�
Ci (H1)
�
Di
�
Ti ·
We consider a set of shared resources 91 {PI, . . . , pp} accessed in mutual exclusive way using critical sections. To simplify our presentation, only singleunit resources are considered. We assume that only tasks of the same criticality level can share resources for the sake of isolations of errors to prevent error propagation from nonsafety domain to safety domain. The hth critical section of task Ti is denoted by �i h ((}i h, C;i h) where (}i h E 91 is the resource accessed by the critical section; C;i h is the worstcase execution time of the critical section. =
the presentation of the analysis, we neglect the overhead introduced by the operating system. We define the set of tasks with HIcriticality level as H I (f) {Ti E f I Li HI} and assume the number of tasks in HI(r) is M. Moreover, LO(91) and HI(91) denote the set of resources shared by LOcriticality tasks and resource set shared by HIcriticality tasks, respectively. For compactness of presentation, we define the notation I I . 110 as =
Ilxllo
de! =
=
max(x, 0 ) .
Definition 1 (Carryover jobs). A job from a HIcriticality task that is active (released, but not finished) at the time of the switch to HIcriticality mode is called a carryover job. Definition 2 (Mode switch period). The time interval from the time of the switch to HIcriticality mode to the time when all carryover jobs are finished.
The system can switch back from HI back to LOcriticality mode when the CPU becomes idle, but we do not address it in this paper. We briefly review the Greedy algorithm in [2] using the dualdeadline model. Each task Ti in the mixedcriticality sporadic task set f has a virtual LOcriticality mode relative deadline Di (LO) and a HIcriticality mode relative deadline Di (HI) . Note Di (LO) Di if Li LO and Di (LO) � Di (H1) Di if Li HI. Definition 3 (Demandbound function). . A demandbound =
=
=
=
function dbf( Ti , l) gives an upper bound on the maximum possible execution demand of task Ti in any time interval of length t, where demand is calculated as the total amount of required execution time of jobs with their whole scheduling windows within the time interval.
Definition 4 (Supplybound function) A supplybound func tion sbf(l) , gives a lowerbound on the amount of supplied execution time of the platform in any time window of size t. •
.
We consider a unitspeed, dedicated uniprocessor, with t in this paper.
sbf(l)
=
Proposition 1 ([2]). A mixedcriticality task set f is schedula ble by EDF on a platform with supplybound function sbho in LOcriticality mode and sbf HI in HIcriticality mode ifboth of the following conditions hold: Condition A: Condition B:
VL VL
� �
0, 0,
LTiEr dbfLO (Ti , L) � sbfLO (L) LTiEHI(r) dbfHI (Ti , L) � sbfHI (L)
Demandbound function dbho ( Ti , L) for task Ti in LO criticality mode is:
=
Throughout the paper, we assume that all tasks are sched uled based on their absolute deadlines, according to the Earliest Deadline First (EDF) algorithm. Moreover, the initial phases of periodic tasks are arbitrary. Finally, to simplify
228
Demandbound function dbfHI (Ti , L) for task Ti in HI criticality mode is:
e! e(Ti ,L) d=
don
{I
l
Ci (LO)  n + Di (HI)  Di (LO) ' o if Di ( HI ) > n 2: Di (HI )  Di (LO) 0, otherwise.
Here n is defined as n = L mod Ti . SRP [3]. We briefly review the Stack Resource Protocol (SRP) [3]. Each task Ti is assigned with a dynamic priority 7ri based on EDF, and a static preemption level Ai. Task Ti is not allowed to preempt task Tj unless Ai > Aj. Under the EDF scheduling policy, the static preemption level of Ti is assigned proportional to the inverse of its relative deadline Ai = Such a definition can be easily translated into integer valu�s (refer to the appendix for details). Each resource Pi is assigned a static ceiling equal to the maximum preemption level of any job that may access it: ceil(Pk) =maxi { Ai l Ti needs Pk}. Moreover, a dynamic system ceiling is defined as the high est ceiling of all the resources which are held by some job at any time t: IIs =max [ { ceil(kP ) l kp is currently busy} U {O}l. Then, the SRP scheduling rule states that a job is not allowed
�.,
to start executing until its priority is the highest among the active jobs and its preemption level is greater than the system ceiling. SRP ensures that once a task is started, it will never be blocked until completion; it can only be preempted by higher
priority tasks. It may be blocked only once by a lower priority job before it starts running. However, if we use the original SRP in the dualdeadline model, a task can experience un bounded blocking, as we will show in the motivating example next. This is undesirable. A. Motivating Example
Consider a mixedcriticality task set, as shown in Table I. Each task has a virtual deadline in the LOcriticality mode besides its absolute deadline. We assume that a task needs to access the related resources during its whole execution time. TABLE l.
Ti
I T2 T
T3 T4
A
MIXEDCRITICALITY TASK SET
rl
Li 9'li
Ti Di(LO) Di(HI) Ci(LO) Ci(HI) 15
6
15
2
HI
20
15
20
2
10
8
10
2
5
5
HI
HI LO
{P2} {p,} {PI, P2}
ec ilLO(dp = max(rA o,fA o) = �, ec ilLO(2P ) = max(fA o,Afo) = �. We can get the pre emption levels in the HIcriticality mode as: f A I = �, 15 /\H2 I = 201 ' /\H3 I = 101 ; and the cel Ings f resources In. the 1 HIcriticality mode as ec ilHI(pd = max(A!F,A!F) 10 ' ec ilHI(2p ) =max(HA 1 1,HA3 I) = �. 10
LOcriticality mode as:
\
'1'
,
�(HJ):���I ��=��� [pi;=] , �L� + ���t T3(H I) : 1..t�'t�...J.Ip� + ...J ....Jl I,p2+.a...L ..J t �c...� ....L l...� ....L .I... t t � ( LO ) :�, �tJ��������c... � ....L t��� Ll
I
L'
2
o
6
10
8
12
14
16
18 20
Fig. 1 . Multiple blocking: 73 is blocked by both 71 and 72 in the HIcriticality mode. The arrives are depicted with upward arrows, the virtual LOcriticality mode deadlines are depicted with downward dotdash arrows, and the original deadlines are depicted with downward arrows.
III. MCSRP
If we use the original SRP directly to the mixedcriticality tasks with double deadlines, we can get the preemption levels in the LOcriticality mode as: fA o = �, rA o = �, 15 6 /\\ LO 3 = 8'1 /\\ LO 4 ="51 ; and the cel'1'Ings 0f resources In. the
\
The timeline is shown in Fig. 1. At time 0, T2 is released. Since there are not any other active tasks and no resource is locked (i.e. IIs =0), T2 starts to execute and locks resource PI immediately; now the system ceiling IIs = ec ilLo(P I) = �. At time 1, Tl,T3,T4 are released simultaneously. Since T4 h�s the earliest LOcriticality mode deadline and its preemption level Afo is higher than IIs, it preempts task T2. At time 2, T4 is finished. Since Tl uses a rather earlier LOcriticality mode deadline than T2 and T3, and Afo > IIs, according to SRP, it starts to execute. Tl locks another resource 2P immediately, so now the system ceiling IIs =max(ec iILo(pd,ceiILo(P2)) = 1 "6' At time 4, the mode switch occurs due to Tl needs to execute more than C1 ( LO ) . After the mode switch, T4 is dropped, and Tl, T2 and T3 use their HIcriticality mode deadlines (i.e. 16, 20, 11) and IIs = max(e c iIH1(pl),ceiIH1(2p )) = �. Since Tl'S and T2'S HIcriticality mode deadlines are later t62n T3'S, and !A F ::; IIs, T3 is blocked. From T3'S point of view, it is blocked by both Tl and T2, which is contradictory to the property of SRP that a job can be blocked only once by one lower priority job. So simply using the original SRP to the mixedcriticality tasks with double deadlines is no longer correct. Ip2 r:;S�itt to H�cnt�calit� �ot Tl(H I) : , t ,
0
229
We now present MCSRP, a revised SRP protocol for use with the MC scheduling algorithms with the dualdeadline model. Given a dynamicpriority scheduled mixedcriticality task set (f, II), we can use the preemption level mapping A to transform it into the statically analyzable system(f, A). The LOcriticality mode and HIcriticality mode preemption levels of each task Ti E f are given similarly to SRP: 1 LA O d;f Di (LO) A I d;f Di (1HI ) ' H
Every resource ceiling ceiILo(Pk):
(3)
t
t
kP
E
LO ( ryt ) is assigned with a static
{ Af o l T i I TiEmax LO(r)
l
needs Pk } · (4) 0
Every resource kP E HJ ( ryt ) is assigned with two static ceilings ceilHI(kP ) and ceilLo(Pk). The HIcriticality mode
ceilHI(kP ) is defined as fI I TiEmax p l o· (5) HI(r) p I Ti needs d To avoid unsafe blocking, the LOcriticality mode ceiling ceilLO(kP ) in the MCSRP is defined such that Ti cannot preempt Tj in LOcriticality mode unless it can also preempt Tj in HIcriticality mode: 'VkP HI('J\) : HI o fI ceilLO(kP ) I TiEmax HI(r) pf lA :s; ceil (kP n l · (6) We define two dynamic system ceilings IIfo and II�I II�o I max{ceilLO(kP )lkp is currently busy} l o· (7) II�I I max{ceilHI(kP )lkp is uc rrently busy} 1 Io (8) ceiling
E
=
0
and locks resource P2 immediately, then II�I becomes 3. The timeline in the LOcriticality mode is shown in Fig. 3. From Fig. 2 and Fig. 3, we can see each job can be blocked only once in each mode under MCSRP. SW h to t calit l T1(HI) : , t , , , , 122, , ,
H���i �
Z
T2(HI) : fp] en , , T3(HI) : t I l2u:!2, T4(LO) : h I t Fig. 2.
,
I
, , ,
,
0
I
, , ,
,
2
, ,
6
4
� l�o�e
10
8
12U:!2, t , , 12
,
t
I
t
14
16
MCSRP: mode switch occurs at time 3 due to task
20
18
T2
=
=
The MCSRP scheduling rules are defined as follows: In the LOcriticality mode, a job Ti is not allowed to start executing until its LOcriticality mode deadline is the earliest among the active jobs and its LOcriticality mode
A O is greater than the LOcriticality mode IIf J.
preemption level system ceiling
In the HIcriticality mode, all LOcriticality tasks are and a HIcriticality job Ti is not allowed to start executing until its HIcriticality mode (absolute) deadline is the earliest among the active jobs and its HIcriticality mode
T1(HI) : t , I T2(HI) : fp] n T3(HI) : t T4(LO) : h ,
Fig. 3.
2
A I is greater than the HIcriticality mode II� t.
Example 2: we use the same task set as shown in Table I. Now we apply MCSRP to the task set. Using Equation (3), we can get ]to 3, A�O 1 , AfO 2, Afo 4; A{lI 2, A!jl 1 , A3 I 3. Using (5), we can get ec ilHI(pd 3, ec ilHI(P2) 3. Using (6), we can get =
=
ec ilLO(1P )
=
=
=
3,
ceilLO(2P )
=
=
=
lO2l I
h 6
4
,
10
8
t I h , 12
,
I
t
I
h
14
16
20
18
,
,
,
0
�
S"Yi h to HIcriticality mode ,
2
4
�
I"
, , 121,22,
t
6
8
"
"
"
122, t
I
i
10
12U22, t , , 12
I
14
t
16
18
20
=
=
3.
The timeline in the HIcriticality mode is shown in Fig. 2. At time 1, IIfo ceilLO(dp 3. Since T4 has the earliest LOcriticality mode deadline and its preemption level Afo is higher than IIfo, it preempts T2. At time 2, T4 is finished. Although T1 has an earlier LOcriticality mode deadline than T2, it cannot preempt T2 due to fA o, which has a value of 3, is not greater than the LOcriticality mode system ceiling IIfo. Hence, T2 continues to execute. At time 3, the mode switch occurs due to T2 needs to execute more than C2(LO). After the mode switch, T4 is dropped, and T1, T2 and T3 use their HIcriticality mode deadlines (i.e. 16, 20, 11) and II�I max(ec ilHI(pd,ec ilHI(P2)) 3. Since no active tasks' HIcriticality mode preemption level are greater than II�I, T2 continues to execute. At time 4, T2 finishes and unlock resource PI , then II�I O. For T3 has the earliest HI criticality mode deadlines among active HIcriticality tasks and A{fI 3 > 0, T3 starts to execute and locks resource PI and P2 immediately, then II�I becomes 3. At time 7, T3 finishes and unlock resource PI and 2P , then II�I O. Now, since T1 has the earliest HIcriticality mode deadlines among active HIcriticality tasks and A{lI 3 > 0, T1 starts to execute =
lO1l
T1(HI) : t 122, T2(HI) : fp] n T3(HI) : t T4(LO) : h
=
n
,
MCSRP: No extra blocking in the LOcriticality mode
suspended
preemption level system ceiling
tB
I
I
,
0
,
I
,
=
=
=
=
=
=
=
230
Fig. 4.
MCSRP: mode switch occurs at time 5 due to task
T1
The MCSRP has the following set of properties. Most importantly, MCSRP avoids unbounded blocking (Property 3), as demonstrated in Example 2. Property 1: Task Ti is not allowed to preempt task Tj in the LOcriticality mode, unless f A o > A1°; Task Ti is not allowed to preempt task Tj in the HIcriticality mode, unless AfI >
AHI
J
.
Under MCSRP, a task Ti can only be blocked for at most one critical section in each mode(LOcriticality mode and HIcriticality mode) Proof First, we prove that a HIcriticality task Ti can be blocked at one critical section in LOcriticality mode and one critical section in HIcriticality mode. As seen in FigA, the carryover job of T3 experienced both blocking from T2 in the LOcriticality mode and blocking from T1 in the HIcriticality mode. Second, we prove that a task Ti can be blocked at most at one critical section in the LOcriticality mode. Suppose that Ti Property 2:
is blocked for the duration of two critical sections shared with two tasks of lower LOcriticality mode preemption level, Tl and T2. Without loss of generality, assume Afo > Afo > A1;.°. This can happen only if Tl and T2 hold two different resources (such as PI and P2 )and T2 is preempted by Tl inside its critical section operating on resource P2 . This immediately yields to a contradiction. In fact, since Tl is not blocked by T2 on resource P2 , we have AfO > ec ilLO(P2). On the other hand, since Ti is blocked by T2 on resource 2P , we have ec ilLO(P2) � Afo. Hence, we obtain that Afo >� Afo, which contradicts the assumption. Finally, we prove that a HIcriticality task Ti can be blocked at most at one critical section in the HIcriticality mode. Suppose that Ti is blocked for the duration of two critical sections shared with two tasks of lower HIcriticality mode preemption level, Tl and T2. Without loss of generality, assume AfI > AfI > A!fI. This can happen only if Tl and T2 hold two different resources (such as PI and P2 )and T2 is preempted by T1 inside its critical section operating on resource P2 . Since Tl is not blocked by T2, we have Afo > ec ilLo(P2) or f A I > ceiIH1(P2). On the other hand, since Ti is blocked by T2 on resource 2P in the HIcriticality mode, we have ec ilHI(P2) � HA I > AfI. As a result, according to the definition of ec il1o(2P ), we can also get ceiILO(2P ) � Afo. This yields to a contradiction. Property 3:Under MCSRP, while TH with high preemption level that needs shared resources is blocked by a task TL with low preemption level which locks some resource kP , task TM with medium preemption level can not preempt TL. That is, it can avoid multiple priority inversion in each mode and unsafe blocking. Proof Assume TM preempts T while TH is blocked by T L L on Pk. If this case occurs in the LOcriticality mode, we know that A i o < AX? < YP A · Since TH is blocked by TL on Pk. we can get AX? < AYP < ceilLO(kP ). Due to AX? < ec ilLO(kP ), TM cannot preempt T while T holds k P , which contradicts L L the assumption. If this case occurs in the HIcriticality mode, we know that AfI < AHI < AHI. Since TH is blocked by TL on Pk. we can get AljJ < AIf! ::; ec ilHI(kP ). In addition, according to the definition of ceilHI(kP ), we can get Apt ::; ec ilLo(kP ) Therefore, due to Af/ < ceilHI(kP ) and AMO < ec ilLo(kP ), TM cannot preempt TL while TL holds kP , which contradicts the assumption.
IV. MCSRPT SRPT [5] is based on the observation that the threshold values used in the Preemption Threshold mechanism are very similar to the resource ceilings of SRP. In SRP, when a task accesses a critical section, the system ceiling is raised to the maximum between the current system ceiling and the resource ceiling. In this way, a released task cannot preempt the executing task unless its preemption level is greater than the current system ceiling. Such a mechanism can be thought of as a way to limit preemptability. In the following, we present MCSRPT (MCSRP with Thresholds). If we want to make task Ti and task Tj mutually non preemptive, we can let them share a pseudoresource p*. At run time, instances of Ti or Tj will lock *p when they start executing and hold the lock until they finish. 231
If task Ti or task Tj is of LOcriticality, LOcriticality mode ceiling of resource *p is defined as: (9)
If task Ti and task Tj are of HIcriticality, the HIcriticality mode ceiling of resource *p is the maximum between the HI criticality mode preemption levels of Ti and Tj, as follows:
(10)
The LOcriticality mode ceiling of resource the same way as Equation(6):
ec ilLO(*p )
=
I I TiEmax HI(r) Pf ol Af
::;
*p is defined in
ceiIHI(*p )} I · 0
(11)
Suppose task Ti needs a set of pseudoresources ip l' ... ) :P h. When Ti starts execution, it locks all of them: in MCSRP, this corresponds to: raising the LOcriticality mode system ceiling II�o to maxk ceilLO(:P k) in the LOcriticality mod e, which we define as the LOcriticality mode preemption threshold ,fo of task Ti and raising the HIcriticality mode system ceiling II�I to maxk ec ilHI(P:k) in the HIcriticality mode, which is defined as the HIcriticality mode preemption threshold ,fI of task Ti. Each task Ti has a LOcriticality mode preemption threshold ,fo � Afo. Moreover, each HIcriticality task Ti E H ICQ has a HIcriticality mode preemption threshold ,fI � Ai I. MCSRPT can be thought as an extension of the MCSRP that adds pseudoresources compatible with the regular shared resources. It can be easily shown that MCSRPT retains all the properties of MCSRP. Moreover, it has properties as: Property 4: Under MCSRPT, a job can only be blocked be fore it starts execution; once started, it can only be preempted by jobs with higher preemption levels. (If a HIcriticality task Tj can block another HIcriticality task Ti in the HIcriticality mode, then Ti and Tj are mutually nonpreemptive both in the LOcriticality mode and in the HIcriticality mode. ) Proof Firstly, suppose two tasks Ti and Tj with ,f I � AfI > AfI, and Ti can be blocked by Tj in the HIcriticality mode after it has started execution. This can happen only if Tj preempts Ti in the LOcriticality mode. Since ,JI � Af I, LA, O. And since HA I > )HA I, we can we can get ,""I)LO > also get ,fo � A1°. Therefore, Ti and 'Ti are mutually non preemptive in the LOcriticality mode. As a result, Ti cannot be blocked by Tj in the HIcriticality mode after it has started execution. Secondly, suppose two tasks Ti and Tj with ,fo � Afo > A1°, and Ti can be blocked by Tj in the LOcriticality mode after it has started execution. This can happen only if Ti preempts Tj or d preempts Ti in the LOcriticality mode. However, since ,f � Afo > A1°, Ti and Ti are mutually nonpreemptive in the LOcriticality mode. Therefore, a job can only be blocked before it starts execution, once started, it can only be preempted by jobs with higher preemption level. Property 5: Under MCSRPT, if a HIcriticality task Ti is nonpreemptive by a HIcriticality task Tj in the HIcriticality mode, Ti is nonpreemptive by Tj in the LOcriticality mode when Ti has started to execute. Therefore, it can avoid un bounded blocking during the mode switch period.
Proof Suppose Ti is nonpreemptive by Tj in the HI criticality mode, but Ti is preemptive by Tj in the LOcriticality mode when Ti has started to execute, that is, ,fI � >..HI and to the definition of ,fo, we ,fo < f>.. o. However, according ", > H H LO I I ' which is contradicts the . >. if can get ","LO> . >. J J " assumption.
Example 3: Consider the mixedcriticality task set in Table II, which is similar to that in Table I except for resources. Using equation (3), we can get t >.. o 3, >..�o 1 , >..fo 2, ,f>.. 0 4; f>.. I 2, !>.. F 1 , >"3 I 3. To make Tl and T 3 =
=
=
L
Ti Tl T2 T3
T4
A
LO
Di (
HI
)
Di (
HI
15
6
HI
20
15
20
2
10
2
HI
10
8
LO
5
5
)
MIXEDCRITICALITY TASK SET
Ti
i
=
=
=
TABLE II.
=
15
Ci ( 2
LO
)
Ci (
['3 )
=
=
=
=
ec ilLO(pn 3, ,�o ec ilLO(pi) 3, max ( ceu'io(ip ),ec ilLO(ip )) 3, ,,f0 .>.,f0 ec il HI(p�) 3, ,fF ec ilHI(pi) 3, max(ec il'HI(]'p ),ec ilHI(ip )) 3. =
=
=
=
=
•
•
•
I I I I I I
2
I I
4
,
!
t
6
10
8
t t
t
! ,
!
12
t
14
16
18
20
=
=
4;
Fig. 5 .
MCSRPT: No multiple blocking in the HIcriticality mode
V.
SCHEDULAB ILI T Y ANALYSIS
For a mixedcriticality system, we need to check three con ditions to verify schedulability of a task set: 1) schedulability in LOcriticality mode; 2) schedulability in the HIcriticality mode; and 3) schedulability during modeswitch period. A. Schedulability analysis in LOcriticality mode
=
=
=
MCSRPT works as follows (see Fig. 5, which is similar to Fig. (2) except for resources): •
t
I
I
=
=
I
0
=
=
Z
: T 2(HI) : h en T 3(HI) : t I T 4(LO) : h I Tl (HI)
�
SW h to H�c�it�ca it� �o�e t , I , I
I
=
=
At time 7, task T 3 finishes, and the system ceiling II�I returns to O. At this point, task Tl can start running. The system ceiling II�I is raised to ,fl.
•
I
HI
mutually nonpreemptive, we introduce pseudoresource pi. When Tl (or T 3) starts running, it immediately locks ip , and holds the lock until it ends. The HIcriticality mode ceiling of pi is ec ilHI(ip ) max(H>.. I,§l>.. I) 3; the LOcriticality mode ceiling of pi is ec il£(\ip ) max(>..fo,�>.. o,f>.. O) 3. Similarly, we introduce pseudoresource r{j to make T 2 and 3 and T 3 mutually nonpreemptive, and get ceil I(ip ) ec ilLO(ip ) 3. By definition of preemption threshold,
,LO }o }n ,fI
At time 4, task T 2 finishes, and the system ceiling II�I returns to O. At this point, task T 3 can start running. The system ceiling II�I is raised to ,iII.
•
Initially, the system is in the LOcriticality mode and the system ceiling II�o is O. At time 0, task T 2 is activated and starts executing. The system ceiling II�o is equal to ,�o. At time 1, task Tl , T 3, T 4 arrive. T 4 has the earliest LOcriticality mode deadline, and its LOcriticality mode preemption level ,f>.. 0 is higher than the current system ceiling II�o. Hence, according to MCSRPT, T 4 preempts T 2.
At time 2, task T 4 is finished. Although Tl has the earliest LOcriticality mode deadline among the active tasks, it cannot start runnin8, since its LOcriticality mode preemption level L>.. is not higher than the current system ceiling II�O. Hence, according to MC SRPT, T 2 continues to execute. At time 3, task T 2 has run for C 2(LO) without signaling completion, causing a systemwide mode switch to the HIcriticality mode according to [1]. Hence, by MCSRPT, T 4 is dropped, and Tl , T 2, T1 3 begin to use their HIcriticality mode deadlines, and the system ceiling II�I is equal to ,!p. At this point, even though T 3 has the earliest HIcriticality mode deadline, its HIcriticality mode preemption level §l >.. I is not higher than the current system ceiling II�I, so it is blocked, and T 2 continues to run.
232
While the system is in LOcriticality mode, each task Ti behaves as a normal sporadic task with parameters Ci (LO), Di (LO) and Ti . We follow the analysis in [8]. First, we calculate the maximum blocking time BrLO (L) that can be experienced by Ti E r inside a busy period of length L in the LOcriticality mode, since its LOcriticality mode preemption level is no greater than the LOcriticality mode ceiling of some resource:
BrLO(L)
=
I maxh ({C;jh V'
,
J,
> (L + l)

1 I Di (LO)
:s;
L
1\
ec ilLO(j(] h) � f.>. O})llo (12) The maximum blocking time BpLO (L) that can be expe Dj (LO)
1\
rienced by any task Ti E r inside a busy period of length L due to the preemption threshold settings is:
BpLO(L)
=
I �i�J ({Cj (LO)  1 I Di (LO)
Dj (LO)
> (L + l)
1\
:s;
L
1\
,fo � f>.. O})llo
(13)
The maximum blocking time BLO(L) which denotes the maximum blocking time experienced by r inside a busy period of length L in the LOcriticality mode is defined as: A sufficient schedulability condition in LOcriticality mode is known from [8]:
Theorem 1. The following condition is sufficient for guar anteeing that f is schedulable under EDF+MCSRPT in the LOcriticality mode:
VL E d LO : B LO (L) N SLACK LO (L) = L  L k =l Here d LO denotes the set of
:s:
SLACK LO (L) , where
HI
(l L  Dk (LO) J + 1 ) Ck (LO) Tk
(
and
)
B. Schedulability analysis in HIcriticality mode
The schedulability condition in HIcriticality mode is sim ilar to that of LOcriticality mode. When all carryover jobs have completed, and the system is in HIcriticality mode, each task Ti E HI (r) behaves as a normal sporadic task with parameters Ci (HI) , Di (HI) and Ti . The maximum blocking time B rH I (L) which denotes the maximum blocking time that can be experienced by any task Ti E H I(f) inside a busy period of length L in the HIcriticality mode due to its HI criticality mode preemption level is not greater than the HI criticality mode ceiling of some resources is defined as follows [8]:
( I 'h,JEmax HI(r),Vh {C;jh  1 1 Di (HI):S: L ec ilHI(je h)�AfI } )l o Dj (HI»(L + l )
B rHI (L) =
. .
/\
/\
(15)
The maximum blocking time B pHI (L) which denotes the maximum blocking time that can be experienced by any task Ti E H I(f) inside a busy period of length L in the HI criticality mode due to its HIcriticality mode preemption level is not greater than the preemption threshold of tasks with lower HIcriticality mode preemption level is defined as follows:
I
({Cj (HI)  1 1 Di (HI) :s: L Dj (HI)> (L + l ) "tfII �AfI } ) l o
B pHI (L) = �i�f
t
E
dHI : B HI (L) :s: SLACK HI (L)
233
I
_
_
Switch to , HIcriticality mode
r
, ' , \',t*
,
�
UHI H UI
, ' , ,'t ,
' i r+ Di (LO)
I +l
1=
)
,
r+ Di (HI)
L  (Di (HI)  Di (LO ) )
Fig. 6. A carryover job o f Ti has a remaining scheduling window of length L after the switch to HIcriticality. Here the switch happens before the job's LOcriticality deadline.
The schedu
Theorem 2. The following condition is sufficient for guaran teeing that HI(r) is schedulable under EDF+MCSRP T in the steady HIcriticality mode:
VL
(
Assume tasks are schedulable in both the LOcriticality mode and HIcriticality mode. To check schedulability during the �ode switch period, we need to make sure all the carry over Jobs are schedulable during the mode switch period. Let t* denote the timeinstant at which HIcriticality behavior is first flagged (i.e., the first instant at which some job executes for more than its LOcriticality worstcase execution time without signaling that it has completed execution). Suppose some task misses its deadline during the mode switch period. Let t be the first time instant when such a deadline miss occurs, and the job is from Ti . We denote L = t  t*. There can be at most on� j�b with deadline> t that executes in the interval [t*, t] . ThIS IS a blocking job since it delays the execution of some job with earlier deadline. No job released after t* and with deadline> t  t* could execute in [t*, tJ , because the carry over job from Ti is already released before t* and with absolute deadline = t. Thus, the blocking job from Tj that executes in the interval [t*, t] must be released before t*. Hence, it is a carryover job with relative deadline Dj (H I) > t  t*. 1) Blocking Function: As seen in Fig. 6, the maximum blocking time B pf1C (L) that a HIcriticality task Ti E HI(r) can experience with the MCSRPT during the the scheduling window [t*, t] due to preemption thresholds is defined in the following cases:
• m.
) Ck (HI)
C. Schedulability analysis during mode switch period
(16)
The maximum blocking time B H I (L) which denotes the na � �imum blocki?g tin�e that can be experienced by HI (f) Inside a busy penod of length L in the HIcriticality mode is defined as: Assume the number of tasks in H I(r) is lability test is known from [8]:
Tk
k =l
UHI " UHI
/\
/\
M
L (l L  Dk (HI) J + I
"' M l (Tt D t (HI) ) Ut HI H x ' L..n= H and max D ma 1 where D ::'�x = max{D1 (HI) , . . . , D M (HI) } , = t M Ci (HI) = � t . and Tt i=1 .
hyperperlOd
LOx ' Lil (Ti  Di (LO) ) U PO ' max D ma 1 U LO where D *,�x = max{D1 (LO) , . . . , D N (LO) } , Ut LO = N Ci (LO) " LO and U = � Ut LO. Tt i =l H
SLACK HI (L) = L 
(18) . where d IS the set of all absolute deadlines no greater than a certain point in time, given by the minimum between the
all absolute deadlines no greater than a certain time instant, given bJv the minimum of the hy
perperiod
with
If L < Di (HI)  Di (LO ) , the start of the mode switch period t is after the deadline of Ti in LO criticality mode, then the maximum blocking time B pf1C (L) =
•
O.
(Di (HI)  Di (LO ) ) :s: L < Ci (LO) + (Di (HI) Di (LO ) ) . Since the carryover job of Ti would
have met its deadline in LOcriticality mode if the switch had not happened, there can be at most I =
L  (Di (HI)  Di (LO ) ) time units left of its LO criticality execution demand Ci (LO) at the time of
the switch. The job must therefore have executed for at least Ci (LO)  l time units before the switch. According to the property 4 of MCSRPT, Ti cannot be blocked after it starts execution, so B pr c (L) 0. =
•
•
If L?: Ci (LO)+(Di (HI)  Di (LO) ) , the carryover job of Ti may not have started execution at time t. In this case, if Ti has the highest HIcriticality preemption level, the maximum blocking time B pr c (L) must be due to a task Tj with lower HIcriticality preemption level which incurs the mode switch. Since Tj is non preemptive by Ti (with highest preemption level in HI criticality mode), it is nonpreemptive by other tasks in HIcriticality mode. By Property 5 of MCSRPT, Tj is also nonpreemptive by any other HIcriticality task in the LOcriticality mode when it has started. The maximum blocking time B prC (L) that Ti can experience during the scheduling window of [t*, t] is from the blocking task Tj with (Dj (H I) > L) and the maximum (Cj (HI)  Cj (LO ) ) . If L ?: Ci (LO) + (Di (HI)  Di (LO ) ) and HI criticality mode preemption level of Ti is not the highest, the mode switch may be incurred by task Tk with higher HIcriticality mode preemption level than Ti, which preempts the carryover job from Tj that can block Ti when Tj has executed for 1 time unit in the LOcriticality mode. So the maximum blocking time B prC (L) that Ti can experience during the scheduling window of [t*, t] is from the blocking task Tj with Dj (HI) > L and the maximum Cj (HI) .
Summarizing the above cases, we have
0, if l < Ci (LO); max{Cj (HI)  Cj (LO) < :s; 1\ Dj (HI)  1> L} if l?: Ci (LO) 1\ is the highest; {Cj (HI) < :s; 1\ Dj (HI)  1> L } , otherwise.
I VJI
B M C (L)
AfII ,fI
=
Theorem 3. The maximum length of the mode switch period is D;;'{.x (Di (HI) ). It is sufficient for guar anteeing that HJ(f) is schedulable under EDF+MCSRPT in the switchmode: \10 :s; L :s; D;;'{.x' =
1\
maxTiEHI(r)
B M C (L) +
L
TkEHI(r)
dbfHI (Tk , L):S; L
where B M C (L) is defined in Equation(2l), and is the same with Equation(2).
(22)
dbfHI (Tk , L)
Example 4: Applying the schedulability test during the mode switch (Equation (22)) to Example 3, we can get the maximum length of the modeswitch period as D;;,�x 20 . •
0. No job can fit in the If L 1 , B M C (L) scheduling window of [0, L] ; 0. Only the carryover job If L 2, B M C (L) of T3 can fit in the scheduling window of [0, LJ , and
(19)
•
=
=
=
=
B tIC (L)
if L:S; (Di (HI)  Di (LO) ;
fA I
(21)
t
=
=
0;
If 3:S; L:S; 4, B M C (L) 1 . Only the carryover job from T3 can fit in the scheduling window of [0, LJ , since T3 has the highest preemption level in the HI criticality mode, the job that blocked T3 during the mode switch must be the job that caused the mode switch, so the maximum blocking time is B tIC (L) =
=
1.
=
B rr c (L)
max )� (B M C (L) ) Di(HI)D.i( LO L
The demandbound function dbfHI (Ti , L) for task Ti, which upperbounds the maximum execution demand of jobs from Ti inside the interval [t*, t] of length L is defined in Equation (2). The maximum length of the mode switch period is the maximum HIcriticality mode relative deadline, that is, D;;'{.x maxTiEHI(r) (Di (HI) ) , so t :s; D;;'{.x· Summing the cumulative demand of all jobs over [t*, tJ , we get B M C (L) + LTkEH (r) dbfHI (Tk , L) > L. Taking the contrapositive, we get theI following theorem.
•
The maximum blocking time B rrC (L) that a HI criticality task Ti E HJ (r) can experience with the MC SRPT during the scheduling window [t*, t] of length L due to resources is defined as (l L  (Di (HI)  Di (LO) )):
{O'max{ L } , otherwise.
If 5 :s; L:S; 8, B M C (L) 1 . Only the carryover jobs from T3 and T2 can fit in the scheduling window of [0, L], since T2 has the lowest preemption level in the HIcriticality mode,BaMC (L) 0, so the maximum blocking time is B tI (L) 1 . =
=
=
The maximum blocking time B fIC (L) that can be expe rienced by a HIcriticality task Ti E H J(r) in the scheduling window [t*, t] of length L during the mode switch period:
234
•
1 . Besides the carry If 9 :s; L :s; 10, B M C (L) over jobs from T3 and T2, the carryover job from T1 can fit in the scheduling window of [0, L] . If the carryover job from T1 can fit in [0, LJ, it must have started running sometime before the switch, otherwise it would have missed its deadline in the LOcriticality =
mode. Therefore, no job can block the carryover job from Tl within [0, L] during the mode switch, so the maximum blocking time is BfIC (L) 1 . =
If 1 1
L 2,BrC (L)
•
:s;
:s;
=
2. Since BfIC (L) 18, B M C (L) O,BfIC (L) 1 =
=
=
=
blocking time is O. VI.
MINIMIZING STACK MEMORY SIZE
Tasks in H l( r ) are ordered by increasing HIcriticality mode preemption levels; tasks in r are ordered by increas ing LOcriticality mode preemption levels. Initially each task is assigned the identity preemption thresholds (i.e.'Yfo A fo , 'Yf I Af I ). In this algorithm, the HIcriticality mode preemption thresholds of HIcriticality tasks are first assigned, from tasks with the highest HIcriticality mode preemption level to tasks with the lowest HIcriticality mode preemption level; then the LOcriticality mode preemption thresholds of tasks are assigned from tasks with the highest LOcriticality mode preemption level to tasks with the lowest LOcriticality mode preemption level. =
=
Procedure HI (r).getTaskHI('Yf I ) returns the task with HIcriticality mode preemption level equal to the cur rent HIcriticali2' mode preemption threshold of Ti , and r.getTaskLO('Yf ) returns the task with LOcriticality mode preemption level equal to the current LOcriticality mode pre emption threshold of Ti ; adjustPTLO(Ti) sets the LOcriticality mode preemption threshold of Ti according to 'Yf I using E quation (11) ; procedures isSchedulableHI(), isSchedulableLO() and isSchedulableSM() check schedulability of the task set in the HIcriticality mode, LOcriticality mode and during the mode switch period, respectively. To reduce the complexity of the procedures isSchedulableHl() and isSchedulableLO() , we use the following techniques: since Jrdk } and { SL A C K (dk ) } are fixed for the task sets r L O and r I , which are independent of preemption threshold assignment iJ! , we record them. Every time when the preemption threshold 'Yi of Ti is increased to the preemption level Aj of Tj , we only need to check dk E {dk I Di > dk ?: Dj } (because this preemption threshold change may only affect the maximum blocking time of these dk ) · If Vdk E {dk I Di > dk ?: Dj } , B (d k ) :s; SLACK (dk ) , the task set is schedulable (in fact we only need to check {dk I Di > d k
?:
Dj } , Ci
:s;
=
\{I I
tasks in the HICriticality mode *1
2 : foreach Ti E HI (r) do 3: schedulable TR UE 4: 5: 6:
while (schedulable
'Ylu 'YfI + 'Y_old 'Yfo =
==
TRUE
and
'Ylu
d;t/)
do
=
1* Check schedulability in steady HIcriticality mode*1
7: 8: 9:
=
E
\{I
1* First, assign the preemption thresholds o f HIcriticality
Tj HI(r) .getTaskH1bfI ) schedulable isSchedulableHI(Di (Hl) , Dj (Hl) =
=
1* Check schedulability in LOcriticality mode*1
Up to now we have assumed that task preemption thresh olds are given as problem input, and addressed task schedu lability issues. In this section, we present the Preemption Threshold Assignment Algorithm (PTAA) [9] , as shown in Algorithm 1. PTAA was shown to be optimal with respec t to stack usage (with the assumption of a given priority assignment) [9] . Given r, a mixedcriticality sporadic task set r { (Li , Ci (LO ) , Ci (Hl) , Di (LO) , Di (H Q , Ti) 1 1 :s; i :s; N } , and preemption levels A fo and Af have been already assigned to each task Ti as explained earlier for dynamicpriority schemes, PTAA finds preemption threshold assignments iJ! H I and iJ! L O for each task in r.
Vdk
1:
=
If 1 9 :s; L :s; 20, B M C (L) O. No task Ti satisfies Di (Hl)  1 > L, hence there is no blocking job in the scheduling window of [0, LJ , so the maximum
•
PTAA(HI(r), r , rr)
Algorithm 1
I*initialize preemption threshold to identity assignment*1
SLACK (d k )).
235
if
(schedulable TRUE) then 'Yfo according to Eqn. ( l l ) *1 'Yfo adjustPTLO(Ti ) Tk r .getTaskLO bfO ) schedulable isSchedulableLO (Di (LO) , Dk (LO) ) ==
1* Adjust
10: 11: 12: 13
=
=
=
end if 1* Check schedulability during mode switch*1
14: 15: 16: 17: 18:
if
(schedulable schedulable
T RU E) then isSchedulableSMO
==
=
end if if
(schedulable 'Yfo 'Y_old 'Y f I 'Y f I
==
FALSE)
then
=
19: end if 20: 21: end while 22: end for
=

1
1* Assign task preemption thresholds in LOcriticality mode *1
2 3 : foreach Ti E r do 24: schedulable T RU E =
25: 26:
while (schedulable
'Yfo
=
'Yfo
==
T RU E
and
'Yfo
+ 1
kP)
do
1* Check the schedulability in the LOcriticality mode*1
27 : 28: 29:
Tj r .getTaskLO bfO ) schedulable isSchedulableLO (Di (LO) , Dj (LO» i f (schedulable FALSE) then 'Yfo 'Yfo 1 =
=
==
30: 31: end if 32: end while 3 3 : end for 34: return \{I
=

VII. PERFORMANCE EVALUATION We focus on stack size reduction for performance evaluation, and define the stack save ratio n Cr) for taskset r as the optImIzation objective: ST ACKMc  SRPT (r) n cr) (1 ) x 100%, where ST ACKgreedyEDF ST ACKgreedy EDF and ST A CKM SRPT are the total stack size requirement for GreedyC and our proposed MCSRPT, respectively. We use randomlygenerated synthetic task sets for per formance evaluation. Task set generation is controlled by two parameters: number of tasks N, and the LOcriticality system utilization UL O . Each new task Ti is generated as follows: Li HI with probability PH I 0.5; LOcriticality mode utilization (UFo Ci (LO) /Ti) is generated using the UUnifast algorithm [10] , giving an unbiased distribution of utilization values. The LOcriticality execution time Ci (LO) Ui (LO ) /Ti ; Ti is generated according to a loguniform distri=
=
=
=
60
[2]
P. Ekberg and W. Yi, "Outstanding paper award: Bounding and shaping the demand of mixedcriticality sporadic tasks," in ECRTS, R. Davis, Ed. IEEE Computer Society, 20 1 2 , pp. 1 35144.
[3]
30 20 10
N�5 l_NllO i _ Nb15 0.5 0.55 0. 6 0. 6 5 0.7 0.75 0.8 0.85 0.9 j
t
...
T. P. B aker, "Stackbased scheduling of realtime processes," RealTime 3, no. I, pp. 6799, 1 9 9 1 .
Systems, vol.
[4]
Y. Wang and M . Saksena, "Scheduling fixedpriority tasks with preemption threshold," in RTCSA. IEEE Computer Society, 1 999, pp. 328.
[5]
P. Gai, G. Lipari, and M. D. Natale, "Minimizing memory utilization of realtime task sets in single and multiprocessor systemsonachip," in RTSS. IEEE Computer Society, 200 1 , pp. 7383.
)(o • •
[6]
R. J. Bril, M. M. H. P. van den Heuvel, U. Keskin, and J. J. Lukkien, "Generalized fixedpriority scheduling with limited preemptions," in ECRTS, R. Davis, Ed. IEEE Computer Society, 20 1 2 , pp. 209220.
[7]
K. Lakshmanan, D. de Niz, and R. Rajkumar, "Mixedcriticality task synchronization in zeroslack scheduling," in IEEE RealTime and Embedded Technology and Applications Symposium. IEEE Computer Society, 20 1 1 , pp. 4756.
[8]
S. K. B aruah, "Resource sharing in edfscheduled systems: A closer look," in RTSS. IEEE Computer Society, 2006, pp. 3793 87.
[9]
R. Ghattas and A. G. Dean, "Preemption threshold scheduling: Stack optimality, enhancements and analysis," in IEEE RealTime and Embed ded Technology and Applications Symposium. IEEE Computer Society, 2007, pp. 1 471 57.
[ 1 0]
E. B ini and G. C. Buttazzo, "Measuring the performance of schedula bility tests," Real Time Systems, vol. 30, no. 1 2, pp. 1 291 54, 2005.
!,.
Taskset CPU Utilizatio n U LO
Fig. 7.
Stack size reduction for MCSRPT compared to Greedy
bution with a factor of 100 difference between the minimum and maximum possible task period. This represents a spread of task periods from lOms to 1 second; Task deadlines Di were set equal to its period Ti ;Gi (H1) is drawn form the uniform distribution over [Gi (LO) , 2 · Gi (LO)] if Li HI. Otherwise, Gi (HI) Gi (LO ) ; Maximum stack size of task Ti , Si , is chosen from a uniform distribution between 20 and 120 units. We consider task sets with the number of tasks N 5 , 10, 15. For each N, and each LOcriticality mode CPU utilization U LO (r) from 50% to 90%, with increment gran ularity of 1 %. 1000 task sets are randomly generated for each U LO (r) , resulting in a total of 41000 task sets for each N. All of them are schedulable with Greedy without shared resources and fullypreemptive scheduling. For each taskset, we use PTAA (Algorithm 1) to find the preemption threshold assignments iJ! H I and iJ! LO for r. Figure 7 indicates that MCSRPT can achieve significant reduction in stack size, especially for larger task set size. For example, it saves 50%  55% of the stack space compared with Greedy when N 15.
[II]
R. Davis, Ed., 24th Euromicro Conference on Real Time Systems, l l I3, 201 2 . IEEE Computer Society,
ECRTS 2012, Pisa, Italy, July
2012.
=
=
=
=
VIII. CONCLUSIONS In this paper, we propose the integration of the data synchronization protocol SRP and preemption thresholds in to mixed criticality systems, as well as their schedulability analysis techniques. The proposed framework is shown to be effective in reducing system stack space. For future work, we plan to address other EDFscheduled mixedcriticality task model with dualdeadline model. IX. ACKNOWLEDGMENTS This work is partly supported by NSFC Project #61070002 and NSERC Discovery Grant RGPIN 41874112. REFER ENCES
[I]
S. K. Baruah and G. Fohler. "Certificationcognizant timetriggered scheduling of mixedcriticality systems," in RTSS. IEEE Computer Society, 201 1 , pp. 312.
236
ApPENDIX
A. Transforming Preemption Levels to Integers
Let tasks in r {T1 ' T2 , . . . , TN } be ordered by decreasing relative deadlines in LOcriticality mode.To make .>.fo have an integer value, we define the LOcriticality mode preemption level .>.fo of each task Ti as: =
.>.f
O
=
if
1 if i > 1 and Di (LO) Di  1 (LO) + if i > 1 and Di (LO) < Di  1 (LO) . i
{I,.>.f�, .>.f�
=
=
I,
(23) Let tasks in HI (r) {T1 ' T2 , . . . , TM } be ordered by decreasing relative deadlines in HIcriticality mode.To make .>.fI have an integer value, we define the HIcriticality mode preemption level .>.f I of each task Ti E HI (r) in the same way with .>.fo: =