Proposed Scheduler Synthesis Scheme - Real-time scheduler design for safety-critical systems :

for solving such problems. Hence, there is a necessity for developing off-line exhaustive enumeration techniques to pre-compute schedules at design time and use them during on-line execution. As mentioned earlier in this dissertation, we apply supervisory control approach for scheduler synthesis. Although in recent years, there has been a few significant works dealing with real-time scheduling using supervisory control, this is pos- sibly the first work which addresses the scheduler synthesis problem for non-preemptive periodic tasks.

6.2 Proposed Scheduler Synthesis Scheme

Table 6.1: Comparison between SCTDES based scheduling schemes Method Tasks Preemptive /

Non-preemptive

Uniprocessor /

Multi-core Remarks

[29] Periodic Non-preemptive Uniprocessor It does not consider task priorities [53] Periodic Both Uniprocessor It considers task priorities [87] Periodic &

Sporadic Preemptive Uniprocessor It does not consider inter-arrival time constraint [39] Aperiodic &

Sporadic Non-preemptive Uniprocessor It correctly captures inter-arrival time constraint [105] Periodic Preemptive Uniprocessor It supports tasks with multiple

periods to allow reconfiguration [106] Periodic Conditionally

preemptive Uniprocessor It can be extended to homogeneous multi-cores [107] Periodic &

Sporadic Conditionally

preemptive Uniprocessor It can be extended to homogeneous multi-cores Present

work Periodic Non-preemptive Heterogeneous multi-core

Correctly models execution of tasks on heterogeneous multi-cores

A periodic task τ_i consists of an infinite sequence of instances and is represented by a 4-tuple hAi, hEi,1, Ei,2, . . . , Ei,mi, Di, Pii, where Ai(∈N) is the arrival time of the first instance of τi (relative to system start), Ei,j(∈ N and j = 1,2, ..., m) is the execution time of τ_i on the V_j^th processing core, D_i(∈ N) is the relative deadline and P_i(∈ N) denotes the fixed inter-arrival time between consecutive instances of τ_i [10].

Assumptions: (1) Tasks are independent. (2) Execution time for each task is constant and equal to its Worst Case Execution Time (WCET) [73]. (3) The tasks are periodic and have fixed interval arrival times. (4) E_i,j, D_i and P_i are discrete and finite.

6.2.1 Task Execution Model (ATG)

The ATG model P T_i,act for executing a non-preemptive periodic task τ_i on a heterogeneous multi-core system is shown in Figure 6.1. P T_i,act = (A^{P T}_i ,Σ_i,act, δ_i,act^{P T} , a^{P T}_i,0 , A^{P T}_i,m), where,A^{P T}_i ={IDLE, READY, READYQ1, ..., READYQm, EXECUTING-ON-V₁,. . ., EXECUTING-ON-V_m, COMPLETION}, Σ_i,act = {f a_i, a_i, r_i,1, . . ., r_i,m, s_i,1, . . ., s_i,m, ci,1, . . ., ci,m} (the description of events is presented in Table 6.2), a^{P T}_i,0 = IDLE and A^{P T}_i,m = {COMPLETION}. Here, Σact = ∪ⁿ_i=1Σi,act, which is categorized as: Σspe = Σ_act (since all events have finite time bounds), Σ_rem = ∅, Σ_unc = {∪ⁿ_i=1{f a_i, a_i}} ∪ {∪ⁿ_i=1 ∪^m_j=1{c_i,j}} (task arrival and completion events cannot be prevented by supervisor), Σ_con =∪ⁿ_i=1∪^m_j=1{r_i,j, s_i,j} (assignment on the ready queue and start of execution can be controlled by supervisor), Σ_{f or} = Σ_con (all controllable events can preempt the

occurrence of tick), Σ = Σ_act∪ {tick}.

Table 6.2: Description of events

Event Description

f ai Arrival of taskτi’s first instance ai Arrival of task τi’s next instance

r_i,j Assignment of task τ_i on the ready queue associated with V_j s_i,j Start of the execution of taskτ_i onV_j

c_i,j Completion of the execution of task τ_i onV_j

IDLE READY

EXECUTING-ON-V1

fai

ri,1 c_i,1

EXECUTING-ON-Vm

ri,m

c_i,m

ai READYQ1

READYQm

si,1

si,m

a_i

OC MP L ET OI

ai N

Figure 6.1: Task execution model P Ti,act for periodic task τi

Initially, P T_i,act stays at activity IDLE until the arrival of τ_i’s first instance. On the occurrence of f ai, P Ti,act transits to activity READY. At this activity, there are m outgoing transitions on events ri,j (j = 1,2, ..., m) to model the possibility of assigning of τ_i on the ready queue associated with core V_j. Once event r_i,j is executed, P T_i,act moves to activity READYQj and stays at the ready queue of V_j until the start of τ_i’s execution on V_j. On s_i,j, P T_i,act moves to activity EXECUTING-ON-V_j to capture the execution of τ_i on V_j. After the completion of execution, P T_i,act transits to the marker activity COMPLETION on c_i,j. Next, P T_i,act moves back to activity READY on the arrival of τ_i’s next instance (a_i) and τ_i continues its execution in a similar manner. The self-loops ona_i are used to model the periodicity of τ_i. An elaboration on the modeling of τi’s periodicity is presented separately later in this section.

To obtain a TDES model, we assign time bounds for events in Σi,act, as follows: 1.

(f a_i, A_i, A_i): f a_i must occur exactly at the A^th_i tick from the system start, to correctly model the arrival of τ_i’s first instance. 2. (a_i, P_i, P_i): a_i must occur exactly at the P_i^th tick from the arrival of τ_i’s previous instance, to model the periodic arrival of τ_i. 3. (r_i,j,0,0): r_i,j must occur immediately after the arrival of τ_i’s current instance. 4.

6.2 Proposed Scheduler Synthesis Scheme

(s_i,j,0, D_i−E_i,j): s_i,j must occur between 0 and D_i −E_i,j ticks from the arrival of τ_i’s current instance to ensure that there is sufficient time for the execution of τ_i on V_j so that its deadline can be met. 5. (c_i,j, E_i,j, E_i,j): c_i,j must occur exactly E_i,j ticks from the occurrence of s_i,j. This is to enforce the execution requirement E_i,j of τ_i on V_j.

fai

t t

# t = A_i

r_i,1

si,1 t

t ci,1

si,1 t ci,1

#t = E_i,1

#t = D_it E_i,1

si,m t

t ci,m

si,m t ci,m

t t

s_i,m ci,m

#t = D_it E_i,m

#t = E_i,m ri,m

#t = P_it E_i,1

#t = Pit Ei,m

#t = Pit D

#t = Pⁱ t Dⁱ t

t t t t t

Figure 6.2: TDES model P Gi for periodic task τihA_i, Ei, Di, Pii

6.2.2 Task Execution Model (TDES)

The TDES model P G_i obtained using P T_i,act and the above time bounds, is shown in Figure 6.2. Here, t represents thetick event. In the TTCT software [2], construction of TDES from ATG is implemented by the procedure timed graph. It may be observed (from Figure 6.2) that the arrival ofτ_i’s first instance (i.e., f a_i) occurs at A^th_i tick from system start. Then, τ_i is immediately assigned to the ready queue associated with any one of the processing cores. Let us assume that τ_i is assigned to the ready queue of V₁ through ri,1. At this instant,τi may either be allowed to immediately start its execution through si,1 or τi’s execution may be delayed by at most Di−Ei,1 ticks. Subsequent to start of execution, τ_i consumes exactly E_i,1 ticks to complete on V₁ and this is marked by the event c_i,1. Suppose,τ_i started its execution without any delay. In this case,P G_i contains exactly P_i−E_i,1 ticks between the completion eventc_i,1 and the arrival ofτ_i’s next instance. In case of a delay ofD_i−E_i,1ticks, this interval reduces to exactlyP_i−D_i

ticks.

Modeling Periodicity of τ_i: Periodicity of τ_i requires the arrival events (a_i’s) of any two consecutive instances of τ_i to be separated by exactlyP_i ticks. This is achieved by setting P_i as both the lower and upper time bounds of a_i. Additionally, the TDES model P G_i must accurately account for the time elapsed from the arrival of the current instance of τi, at all subsequent states of the model, so that the next arrival can be enforced to occur exactly after P_i ticks. However, for the TDES model to correctly implement this behavior, the arrival event a_i must remain enabled (and hence, should be defined) at all activities subsequent to the occurrence of τ_i’s first instance, in the ATG P T_i,act from whichP G_i is constructed. For this purpose, self-loops on a_i has been added at all activities in P T_i,act except IDLE (where the first instance ofτ_i has not yet arrived) and COMPLETION (where a_i is already defined). On the occurrence of f a_i, P T_i,act transits from IDLE to the activity READY at which events a_i, r_i,1, . . ., r_i,m become enabled with associated timer values t_a_i = P_i, and t_r_i,j = 0 (j = 1, . . . , m).

On all activities reachable from READY to COMPLETION, timer tai is continuously decremented at each clock tick (and not reset toP_i, asa_i is enabled at these activities).

After P T_i,act reaches COMPLETION, say x ticks (t_a_i = P_i − x) from the arrival of τ_i’s current instance, t_a_i is continued to be decremented until it reduces to 0. Here, x captures the delay in the start of execution (i.e., (s_i,j,0, D_i−E_i,j)) along with the time taken for the execution of τ_i (i.e., (c_i,j, E_i,j, E_i,j)). Hence, the value of x is lower and upper bounded by E_i,j and D_i, respectively. When t_a_i reaches zero, occurrence of a_i becomes eligible and consequently, P T_i,act transits fromCOMPLETION toREADY on a_i with t_a_i being reset toP_i. Thus, the periodicity ofτ_i is correctly captured by P T_i,act.

6.2.3 Composite Task Execution Model

It may be inferred that Lm(P Gi) satisfies (i) distinct execution times of τi on different processing cores, (ii) deadline requirement and (iii) fixed inter-arrival time constraints of τ_i. Given n individual TDES models P G₁, ..., P G_n corresponding to τ₁, . . . τ_n, a synchronous product P G = P G₁||...||P G_n on the models gives us the composite model for all the tasks executing concurrently. In the TTCT software [2],synchronous

6.2 Proposed Scheduler Synthesis Scheme

product is computed using the procedure sync. As individual models (P G_i’s) do not share any common event (i.e., ∩ⁿ_i=1Σ_i,act =∅) excepttick, all models synchronize only on the tick event. Since, the individual models satisfy deadline and fixed-inter arrival time constraints,L_m(P G) also satisfies them. However, the sequences inL_m(P G)may violate resource constraints. That is,P Gdoes not restrict the concurrent execution of multiple tasks on the same processing core. Hence, we develop a resource-constraint model to capture the following specification: Once a task τ_i is allocated onto a processing core V_j, it remains allocated on V_j until its completion. Meanwhile, no other task τ_j (6= τ_i) is allowed to execute on V_j. This is captured by the TDES modelRC_k, as we discuss next.

V_k-AVAILABLE

EXECUTING-•₁

EXECUTING-•_n

s_1,k c_1,k

c_n,k s_n,k

i=1

T\ U {sn _i,k, c_i,k} ⁱ⁼¹

T\ {U {sn i,k, ci,k} U U{s1,j, c1,j}}

j=1 m

EXECUTING-•_x

s_x,k

c_x,k ⁱ⁼¹

T\ {U {sn _i,k, c_i,k} U U{s_x,j, c_x,j}}

j=1 m

i=1

T\ {U {sn i,k, ci,k} U U{sn,j, cn,j}}

j=1 m

Figure 6.3: TDES model RC_k for processing coreV_k

6.2.4 Resource-constraint Model

The TDES model RC_k for a core V_k is shown in Figure 6.3. RC_k = (Q,Σ, δ, q₀, Q_m), where,Q={V_k-AVAILABLE, EXECUTING-τ₁,. . ., EXECUTING-τ_n}, Σ = Σ_act∪ {t}, q₀ = Q_m = V_k-AVAILABLE. RC_k contains n+ 1 states to capture the idle state of V_k as well as execution of anyone of the n tasks on V_k. The self-loop Σ\ ∪ⁿ_i=1{s_i,k, c_i,k} at the initial state, allows the possibility of executing all events in Σ except∪ⁿ_i=1{s_i,k, c_i,k}, i.e., it disallows the start and completion of any task on Vk. The start of execution of any task, say τx, on Vk is modeled by an outgoing transition on sx,k to the state EXECUTING-τ_x from V_k-AVAILABLE. At this state, the self-loop Σ\ {∪ⁿ_i=1{s_i,k, c_i,k}

∪ ∪^m_j=1{s_x,j, c_x,j}}allows all but the events related to, (i) starts or completions of any task onV_k(∪ⁿ_i=1{s_i,k, c_i,k}) and (ii) start or completion of taskτ_xon any core (∪^m_j=1{s_x,j, c_x,j}).

On completion, RC_k transits back to the initial state on c_x,k from EXECUTING-τ_x.

Hence, L_m(RC_k) ensures the exclusive execution of a single task on core V_k at any time instant. To summarize, L_m(RC_k) contains all sequences over Σ^∗ excluding those which allow the concurrent execution of multiple tasks onV_k. Thus,L_m(RC_k) is the minimally restrictive language which satisfies the resource-constraint with respect to V_k.

Composite Resource-constraint Model: GivenmTDES modelsRC1,. . .,RCm

corresponding to them cores, we can compute the composite resource-constraint model RC as: RC₁||. . .||RC_m. Hence, L_m(RC) represents the minimally restrictive language that disallows the concurrent execution of multiple tasks on the same processing core.

Although, all sequences in L_m(RC) satisfy the resource-constraints, however, sequences in L_m(RC) may not correctly capture timing properties such as execution times, deadlines and periods associated with the tasks (which is captured by P G).

6.2.5 Supervisor Synthesis

In order to find only and all sequences in L_m(P G) that satisfy resource-constraints, the initial supervisor S0 =P G||RC, is computed. We first show that Lm(S0) contains resource-constraint satisfying sequences of L_m(P G) and then, we show that L_m(S₀) contains timing-constraint satisfying sequences of L_m(P G).

Theorem 6.2.1. Lm(S0) contains only and all resource-constraint satisfying sequences of L_m(P G).

Proof. (⇒): L_m(S₀) = L_m(P G)∩L_m(RC), sinceS₀ =P G||RC and Σ is same for both P G and RC. So, the following inference may be drawn: a string s ∈ Lm(S0) implies thats∈L_m(P G) ands∈L_m(RC). SinceL_m(RC) satisfies resource-constraints,L_m(S₀) (⊆L_m(RC)) contains only resource-constraint satisfying sequences of L_m(P G).

(⇐): By contradiction: Let s ∈ L_m(P G) is resource-constraint satisfying, but s /∈ L_m(S₀). As s is resource-constraint satisfying, it must be part of L_m(RC), the minimally restrictive language that disallows the concurrent execution of multiple tasks on the same processing core. Hence, s ∈L_m(S₀) since S₀ =P G||RC. This contradicts the assumption. Thus, Lm(S0) contains all resource-constraint satisfying sequences of L_m(P G).

Corollary 6.2.1. L_m(S₀) contains only and all resource as well as timing constraints satisfying sequences of Lm(P G).

Proof. We know that all sequences in L_m(P G) satisfy timing constraints andL_m(S₀) = L_m(P G)∩L_m(RC). By following of the proof structure of Theorem 1, we can show that Lm(S0) contains only and all resource as well as timing constraints satisfying sequences of L_m(P G).

6.2 Proposed Scheduler Synthesis Scheme

It may be noted that sequences in L(S₀) which violate resource and/or timing constraints are not part of L_m(S₀) and hence, such sequences lead to deadlock states in S₀. This implies L(S₀) 6= L_m(S₀), i.e., S₀ is blocking. However, to ensure that all instances of all periodic tasks meet their resource and timing constraints, S₀ must be made controllable with respect to P G. This is achieved by determining supC(Lm(S0)), the controllable and non-blocking sub-part of S₀. Here, supC(L_m(S₀)) is essentially obtained by disabling certain controllable events (r_i,j,s_i,j) at appropriate states inS₀, such that none of the deadlock states are reached. In TTCT, this can be computed using the supcon procedure. This guarantees that the closed-loop system behavior always stays within the desired behavior supC(L_m(S₀)).

Theorem 6.2.2. The language supC(L_m(S₀)) is the largest schedulable language.

Proof. Let us consider the set of all sublanguages of L_m(S₀) that are controllable with respect to L_m(P G), i.e.,C(L_m(S₀)) :={L_m(S₀⁰)⊆L_m(S₀)|L_m(S₀⁰) is controllable with respect to L_m(P G)}. Among all sublanguages in C(L_m(S₀)), consider the largest controllable sublanguage. The existence of such a unique supremal element supC(Lm(S0)) inC(L_m(S₀)) is already shown in [18]. The language supC(L_m(S₀)) contains all feasible scheduling sequences (i.e., the largest schedulable language) for the given task set.

From Theorem 6.2.2, it may be inferred that supC(L_m(S₀)) contains the exhaustive set of only and all the feasible scheduling sequences that satisfy the set of specifications related to (i) execution times, (ii) deadlines, and (iii) resource-constraints of the given real-time system. It may be noted that supC(Lm(S0)) can be empty which implies that there cannot exist any feasible scheduling sequence corresponding to the given specifications, irrespective of the employed scheduling strategy. Hence, the scheduler synthesis mechanism described in this work is optimal. Therefore, using supC(L_m(S₀)), we can design an optimal scheduler S. As a result of supervision, the task executions controlled by S remain within the largest schedulable language supC(L_m(S₀)).

a

₂

Figure 6.4: (a) P T1, (b)P T2, and (c)P T3.

V1-AVAILABLE

•₁

•₃ s1,1

c_1,1

c_3,1 s3,1 i=1

T\ U {s3 _i,1, c_i,1} ⁱ⁼¹

T\ {U {s3 i,1, ci,1} U U{s1,j, c1,j}}

j=1 2

•₂ s_2,1

c_2,1 ⁱ⁼¹

T\ {U {s3 _i,1, c_i,1} U U{s_2,j, c_2,j}}

j=1 2

i=1

T\ {U {s3 i,1, ci,1} U U{s3,j, c3,j}}

j=1

(a) 2

V₂-AVAILABLE

•₁

•₃ s_1,2 c_1,2

c_3,2 s_3,2

i=1

T\ U {s3 _i,2, c_i,2} ⁱ⁼¹

T\ {U {s3 i,2, ci,2} U U{s1,j, c1,j}}

j=1 2

•₂ s_2,2

c_2,2 ⁱ⁼¹

T\ {U {s3 _i,2, c_i,2} U U{s_2,j, c_2,j}}

j=1 2

i=1

T\ {U {s3 i,2, ci,2} U U{s3,j, c3,j}}

j=1

(b) 2

Figure 6.5: (a)RC1 and (b) RC2.

6.2.6 Example

Consider a system consisting of two unrelated processing cores ({V₁, V₂}) and three tasks (τ₁h0, h2,1i, 3,4i, τ₂h0,h2,2i, 3,4iand τ₃h0, h1,2i, 3,4i). The ATG modelsP T₁ for τ₁, P T2 for τ2 and P T3 for τ3 are shown in Figures 6.4(a), (b) and (c), respectively. Using these ATG models, we can obtain their corresponding TDES models P G1, P G2 and P G₃ (not shown in figure). The TDES models RC₁ for V₁ and RC₂ for V₂ are shown in Figures 6.5(a) and (b), respectively. The composite task and resource-constraint models P Gand RC are shown in Figure 6.6(a) and Figure 6.7, respectively. The initial supervisor candidate S₀ and supC(L_m(S₀)) are shown in Figure 6.8.

To illustrate thatL_m(P G) contains both resource-constraint satisfying and violating

6.2 Proposed Scheduler Synthesis Scheme

Task •₁

0 1 2 3 4

Core V₁

Core V₂

Resource-constraint violation

(b)

time

Task •₁

0 1 2 3 4

Task •₂

Task •₃ (c)

(a)

s1,1

s2,2 s3,2

s1,1 s3,1

s2,2

fa₁

s_3,2

s_1,1 t

fa2 fa3 r1,1 r2,2

r3,2 s_2,2 t c_1,1 c_2,2 t s_3,1 s1,1 s2,2 t t c_1,1 c2,2 t

r_3,1 c_3,1

a1 t a2

c_3,2

Task •₂ Task •₃

Figure 6.6: P G= P G1||P G₂ (partial diagram).

s

_1,1

c

_1,1

0

s

_1,1

Figure 6.7: RC =RC1||RC₂ (partial diagram).

sequences, let us consider the sequences: seq₁(=f a₁f a₂f a₃r_1,1r_2,2r_3,2s_1,1 s_2,2ts_3,2tc_1,1c_2,2 tc_3,2) and seq₂ (= f a₁f a₂f a₃r_1,1r_2,2r_3,1 s_1,1s_2,2ttc_1,1c_2,2s_3,1tc_3,1). The gantt chart repre- sentation of seq₁ and seq₂ are shown in Figure 6.6(b) and (c), respectively. seq₁ is resource-constraint violating due to the simultaneous execution of both τ₂ and τ₃ onV₂. On the other hand, seq₂ is resource-constraint satisfying. Let us considerRC and try to findseq1. After processing the substringf a1f a2f a3r1,1r2,2r3,2s1,1s2,2tofseq1,RC reaches state 2 where there is no outgoing transition on s3,2 and hence,seq1 ∈/Lm(RC). Subse- quently, seq₁ leads to deadlock inS₀ implyingseq₁ ∈/ supC(L_m(S₀)). Meanwhile, we can findseq₂ inL_m(RC) as: δ(0, f a₁f a₂f a₃r_1,1r_2,2r_3,1s_1,1) = 1,δ(1, s_2,2) = 2,δ(2, ttr_1,1c_1,1) = 3,δ(3, c_2,2) = 0, δ(0, s_3,1) = 4,δ(4, tc_3,1) = 0. Further from Figure 6.8 (within the dotted box), we can findseq₂, implying seq₂ ∈L_m(S₀) andseq₂ ∈supC(L_m(S₀)). Similarly, we

fa

₁

s

_1,1

a

₂

a

₃

Figure 6.8: S0 (partial diagram); supC(Lm(S0)) (in dotted box).

can find that all resource-constraint satisfying sequences in L_m(P G) are also present in supC(L_m(S₀)). Hence, we can design an optimal schedulerS using supC(L_m(S₀)).

Working of scheduler S: When all three tasks arrive simultaneously, S allocates τ₁ on V1 (r1,1), τ2 on V2 (r2,2) and τ3 on V1 (r3,1). The system behavior L(P G) allows the possibility of assigning τ3 on either V1 or V2. However, assigning τ3 on V2 leads to a deadlock state. Hence, S assigns τ₃ on V₂ by disabling r_3,2 (and enabling r_3,1) and ensures that no deadlock state is reached.

Dalam dokumen Real-time scheduler design for safety-critical systems : A supervisory control approach (Halaman 172-182)