Scheduling issues in mixedcriticality
|
|
|
- Miles Stafford
- 5 years ago
- Views:
Transcription
1 Scheduling issues in mixedcriticality systems Sanjoy Baruah The University of North Carolina at Chapel Hill
2 Scheduling issues in mixedcriticality systems Integrated environments: Multiple systems on a shared platform Why integrated architectures? Can provide a range of functionalities Separate implementations are inefficient Size Weight and Power (SWaP) constraints Dealing with mixed criticalities
3 Mixed criticalities: an example Some sub-systems are more important than others - Automotive example: ABS vs car stereo Different sub-systems have different certification requirements - Defense avionics example. Flight-critical and mission-critical functionalities Flight critical: certified by Certification Authorities Mission-critical: validated by design team Example: Determining worst-case execution time (WCET) - flight-critical certification: cycle-counting under pessimistic assumptions - mission-critical validation: extensive experimentation Current practice: ARINC-653 space-time partitioning - time partitioning: different time-slots are reserved for the flight-critical and the mission-critical sub-systems
4 Mixed criticalities: an example J is flight-critical; J 2 is mission-critical Both arrive at t=; have deadlines at t= WCET of J is 6; WCET of J 2 is > not schedulable But - flight-criticality certification does not need J 2 to meet its deadline - for mission-critical validation, J s WCET of 6 may be too pessimistic * Suppose J s WCET, obtained by extensive experimentation, is Priority-based scheduling: J > J time
5 Mixed criticalities: an example J is flight-critical; J 2 is mission-critical Both arrive at t=; have deadlines at t= WCET of J is 6; WCET of J 2 is 5 But - flight-criticality certification does not need J 2 to meet its deadline - for mission-critical validation, J s WCET of 6 may be too pessimistic * Suppose J s WCET, obtained by extensive experimentation, is Priority-based scheduling: J > J 2 Flight-criticality certification J meets deadline time J 2 misses deadline
6 Mixed criticalities: an example J is flight-critical; J 2 is mission-critical Both arrive at t=; have deadlines at t= WCET of J is 6; WCET of J 2 is 5 Validated at both criticalities But - flight-criticality certification does not need J 2 to meet its deadline - for mission-critical validation, J s WCET of 6 may be too pessimistic * Suppose J s WCET, obtained by extensive experimentation, is Priority-based scheduling: J > J 2 Mission-critical validation J meets deadline time J 2 meets deadline
7 Mixed criticalities J is flight-critical; J 2 is mission-critical Both arrive at t=; have deadlines at t= WCET of J is 6; WCET of J 2 is 5 The same system is being validated, twice Flight-critical certification Mission-critical validation at a very high level of assurance of only a subset of the system at a lower level of assurance of the entire system What are the right models, algorithms, and metrics for MC scheduling? Design-time resource reclaiming
8 Mixed criticalities J is flight-critical; J 2 is mission-critical Both arrive at t=; have deadlines at t= WCET of J is 6; WCET of J 2 is 5 The same system is being validated, twice Flight-critical certification at a very high level of assurance of only a subset of the system Mission-critical validation at a lower level of assurance of the entire system What are the right models, algorithms, and metrics for MC scheduling? OUTLINE Restricted MC systems: models, algorithms, and metrics Models, algorithms, and metrics for generalizations to the basic model
9 The mixed-criticality job model Job J i scheduling window - arrival time A i - deadline D i - criticality level L i - WCET function C i (), C i (2), A i D i time A positive integer larger values = greater criticality Defense avionics: 2 (3?) criticalities - safety-critical; mission-critical; non-critical Civilian aviation (DO-78B): 5 criticalities -catastrophic; hazardous; major; minor; no effect Automotive systems (ISO 26262): criticalities
10 The mixed-criticality job model Job J i - arrival time A i - deadline D i - criticality level L i - WCET function C i (), C i (2), C i (j): The worst-case execution time of job J i, estimated at a level of assurance consistent with the j th criticality level (WCET-estimation tools and techniques are criticality level-specific) Assume C i (j) C i (j+) for all j
11 The mixed-criticality job model Job J i - arrival time A i - deadline D i - criticality level L i - WCET function C i (), C i (2), The MIXED-CRIT SCHEDULING PROBLEM: Given an instance {J, J 2,, J n } of mixed-criticality jobs, determine an appropriate scheduling strategy CERTIFICATION CRITERION: Job J i should meet its deadline when each job J k executes for at most C k (L i ), for all J i. The WCET of J k, computed at J i s criticality level
12 MC scheduling: An example J i : L i A i C i ( ) C i ( 2 ) D i LO 2 HI J : J 2 : J 3 : 2 J : 2
13 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO J 3 : HI 2 J : HI time Schedule for LO-criticality behavior Schedule for HI-criticality behavior - Earliest Deadline First (EDF) - Any work-conserving algorithm
14 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO J 3 : HI 2 J : HI time Schedule for LO-criticality behavior Schedule for HI-criticality behavior Schedule for BOTH behaviors?
15 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO Earliest Deadline First (EDF) scheduling J 3 : HI 2 J : HI 2 J 2 3 time HI-criticality certification: must fit units of work here
16 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO Criticality-Monotonic scheduling J 3 : HI 2 J : HI 2 J 3 J 2 3 J 3 completes execution J completes execution LO-criticality validation: J misses its deadline time
17 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO J 3 : HI 2 J : HI 2 If J 3 does not complete by : J 3 J 3 J 2 3 time
18 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO J 3 : HI 2 J : HI If J 3 completes by : 2 If J does not complete by 3: J 3 J J J 2 3 time
19 MC scheduling: An example J i : L i A i C i (LO) C i (HI) D i J : LO 2 J 2 : LO execute J3 first A correct strategy: J 3 : HI J : HI If J 3 completes by : 2 2 if J 3 executes for, J is next J is next J 2 executes last If J completes by 3: J 3 J J J time
20 The complexity of MC scheduling Given an instance of mixed-criticality jobs, determining whether an appropriate scheduling strategy exists for it is NP-hard in the strong sense - For uniprocessors as well as multiprocessors - Upon both preemptive and non-preemptive processors - Even if there are only two distinct criticality levels - And all jobs arrive simultaneously
21 Coping with intractability Given an instance of mixed-criticality jobs, determining whether an appropriate scheduling strategy exists for it is NP-hard in the strong sense Focus on dual criticality instances: Each job is either HI-criticality or LO-criticality J i = (L i, A i, C i (LO), C i (HI), D i ) L i {LO, HI}
22 Coping with intractability Given an instance of mixed-criticality jobs, determining whether an appropriate scheduling strategy exists for it is NP-hard in the strong sense Focus on dual criticality instances: Each job is either HI-criticality or LO-criticality - For ease of presentation - Important special case: HI-crit. jobs need certification; LO-crit. jobs do not - Already intractable - All techniques & results generalize to more criticality levels
23 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job I := I L: J i := a job that may be assigned lowest priority in I I := I {J i } if I is not empty then goto L
24 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units The WCET of J k, computed at J i s criticality level
25 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units An example: J i : L i A i C i (LO) C i (HI) D i Can J be lowest priority? - no! J : LO 2 2 J 2 : HI 2 2 J misses its deadline 2 3
26 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units An example: J i : L i A i C i (LO) C i (HI) D i Can J be lowest priority? - no! Can J 2 be lowest priority? - yes J : LO 2 2 J 2 : HI 2 2 J 2 meets its deadline 2 3
27 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units An example: Priority ordering: J > J 2 J i : C i (LO) C i (HI) LO-criticality certification: L i A i D i J : LO 2 2 J 2 : HI J meets its deadline J 2 meets its deadline
28 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units An example: Priority ordering: J > J 2 J i : C i (LO) C i (HI) HI-criticality certification: L i A i D i J : LO 2 2 J 2 : HI J 2 meets its deadline
29 A preemptive uniprocessor scheduling algorithm Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units
30 OCBP: Own Criticality-Based Priorities Dual-criticality instance I = {J, J 2,, J n } Assign priorities by Lawler s technique (Audsley s algorithm) - recursively find a lowest-priority job PROPERTIES: J i := a job that may be assigned lowest priority in I J i may be assigned lowest priority if it meets its deadline as the lowestpriority job, when each job J k executes for C k (L i ) time units * Polynomial runtime - O(n 3 log n) naive; O(n 2 ) *Quantitative performance bound - assuming some run-time support - based on system load parameter
31 Run-time support for mixed criticalities Does the run-time system police the execution of jobs? C i (HI) >> C i (LO) for LO criticality jobs WCET at HI criticality WCET at LO criticality If run-time system can enforce execution budgets assign the LO criticality job J i a budget of C i (LO) C i (HI) = C i (LO) for LO criticality job J i - But policing and budgeting overhead costs must be accounted for - Policing and budget-enforcement functionalities are HI-criticality
32 The load parameter For regular real-time instances: demand(i, [t, t 2 ) ) cumulative execution requirement of jobs of instance I over the time interval [t, t 2 ) load(i) max all [t,t2) demand(i,[t,t 2 ) ) (t 2 -t ) RESULT: Any regular (i.e., non-mc) instance I is feasible on a preemptive uniprocessor if and only if load(i) Generalization to dual-criticality instances *load LO (I) - load expected by system designer (all jobs; LO-criticality WCET s) *load HI (I) - load to be certified (only HI-criticality jobs; HI-criticality WCET s)
33 The load parameter: an example J i : L i A i C i (LO) C i (HI) D i load LO = max (.5,.) =. J : LO 2 J 2 : LO J 3 : HI 2 J : HI /(-) =. /(2-) = time
34 The load parameter: an example J i : L i A i C i (LO) C i (HI) D i load LO = max (.5,.) =. J : J 2 : LO LO 2 load HI =.75 J 3 : HI 2 J : HI (2+)/(-) = time
35 The load parameter: an example J i : L i A i C i (LO) C i (HI) D i load LO = max (.5,.) =. J : J 2 : LO LO 2 load HI =.75 J 3 : HI 2 J : HI This instance I has low-criticality load load LO (I) =. and high-criticality load load HI (I) =.75
36 OCBP: A sufficient schedulability condition RESULT: Algorithm OCBP schedules any dual-criticality instance I satisfying load HI (I) + load LO (I) 2 on a preemptive unit-speed processor load LO (I) necessary condition for viability on a speed- processor load HI (I)
37 OCBP: A sufficient schedulability condition RESULT: Any dual-criticality instance I feasible on a unit-speed processor 2 is OCBP-schedulable on a speed- = 5 + (.68) processor load LO (I) necessary condition for viability on a necessary speed- condition processor for viability on a speed-.62 processor load HI (I)
38 OCBP: A sufficient schedulability condition RESULT: Any dual-criticality instance I feasible on a unit-speed processor 2 is OCBP-schedulable on a speed- = 5 + (.68) processor 5-2 The Golden Ratio: positive solution to x 2 x =
39 Recurrent tasks Recurring tasks or processes - generate jobs - represent code within an infinite loop for(;;){.. Different tasks are assumed independent... }
40 Recurrent tasks: the sporadic tasks model Task τ i = (D i, T i, L i, [C i (LO), C i (HI)]) Jobs - D i : relative deadline D i - T i : minimum inter-arrival separation ( period ) - L i {LO, HI} - C i (LO), C i (HI): WCET estimates - first job arrives at any time - consecutive arrivals at least T i time units apart - each job has criticality L i, and WCET s as specified - each job has its deadline D i time units after arrival =D i =D i =D The dual-criticality scheduling problem for sporadic i task systems: Given a collection { τ, τ 2,, τ n } of dual-criticality sporadic tasks, determine an appropriate scheduling strategy T time T i i T i
41 Algorithms for scheduling systems of recurrent tasks A classification of priority-based scheduling algorithms. Fixed Task Priority (FTP) EASIER TO IMPLEMENT - e.g., Deadline monotonic (DM) 2. Fixed Job Priority (FJP) - e.g., EDF 3. Dynamic Priority (DP) - e.g., Least Laxity MORE GENERAL
42 Algorithms for scheduling systems of recurrent tasks A classification of priority-based scheduling algorithms. Fixed Task Priority (FTP) 2. Fixed Job Priority (FJP) 3. Dynamic Priority (DP) - e.g., Deadline monotonic (DM) - e.g., EDF - e.g., Least Laxity Optimal FTP for regular sporadic task systems Deadline Monotonic not optimal for mixed-criticality tasks -S. Vestal (RTSS 7). Preemptive scheduling of multi-criticality systems with varying degrees of execution time assurance Criticality Optimal Priority Assignment (COPA) - Application of Lawler s technique to dual-criticality sporadic task systems - Yields an optimal priority assignment - Quantitative guarantees, assuming run-time support for budget enforcement
43 COPA: A sufficient schedulability condition RESULT: COPA schedules any dual-criticality sporadic task system τ satisfying load LO (τ) + load HI (τ) - load LO (τ) load HI (τ) ½ on a preemptive unit-speed processor load LO (τ) necessary condition for viability on a speed- processor ½ load HI (τ) ½
44 COPA: A sufficient schedulability condition RESULT: Any dual-criticality sporadic task system τ feasible on a unitspeed proc. is COPA-schedulable on a speed- = ( 3.) proc 2 2- load LO (τ) necessary condition for viability on a speed- processor necessary condition for viability on a speed-.29 processor load HI (I)
45 Algorithms for scheduling systems of recurrent tasks A classification of priority-based scheduling algorithms. Fixed Task Priority (FTP) - e.g., Deadline monotonic (DM) 2. Fixed Job Priority (FJP) - e.g., EDF 3. Dynamic Priority (DP) - e.g., Least Laxity - Criticality Optimal Priority Assignment (COPA) is an optimal FTP algorithm for dual-criticality sporadic task systems - If run-time system enforces execution quotas for jobs Sufficient schedulability condition : load LO (τ) + load HI (τ) - load LO (τ) load HI (τ) ½ Tight processor speedup bound : (2 + 2), 3.
46 Algorithms for scheduling systems of recurrent tasks A classification of priority-based scheduling algorithms. Fixed Task Priority (FTP) - e.g., Deadline monotonic (DM) 2. Fixed Job Priority (FJP) - e.g., EDF 3. Dynamic Priority (DP) - e.g., Least Laxity Optimal FJP for regular sporadic task systems * EDF and COPA are incomparable EDF is not optimal * An FJP algorithm that dominates both EDF and COPA Still open: An optimal FJP scheduling algorithm Systems schedulable by EDF Systems schedulable by COPA
47 Algorithms for scheduling systems of recurrent tasks A classification of priority-based scheduling algorithms. Fixed Task Priority (FTP) 2. Fixed Job Priority (FJP) - e.g., EDF 3. Dynamic Priority (DP) - e.g., Least Laxity EASIER TO IMPLEMENT - e.g., Deadline monotonic (DM) Also optimal DP for regular sporadic task systems * There are DP-schedulable dual-criticality sporadic task systems that no FJP algorithm can schedule optimality requires DP-scheduling Open question: What is the minimum degree of dynamism needed for optimality?
48 The sporadic task model A dual-criticality sporadic task - relative deadline - minimum inter-arrival separation ( period ) - criticality - worst-case execution requirements Platform: preemptive uniprocessor + additional serially reusable resources Jobs access shared resources + shared resources for(;;){ - lock (R ) - lock (R 3 ) - unlock (R 3 ) - unlock (R ) - within critical sections which may be nested - lock (R 2 ) Priority inversion } - unlock (R 2 ) A lower-priority job executes instead of a higher-priority one
49 Serially reusable shared resources Priority inversion and blocking unavoidable blocking High priority needs shared resource Low priority shared resource
50 Serially reusable shared resources Priority inversion and blocking avoidable blocking High priority needs shared resource Medium priority does not need shared resource Low priority shared resource
51 Serially reusable shared resources Priority inversion and blocking High priority needs shared resource avoidable blocking Medium priority does not need shared resource Low priority shared resource
52 Serially reusable shared resources Ted Baker. Stack-based scheduling of real-time processes. Real-Time Systems: The International Journal oftime-critical Computing 3(). 99. The STACK RESOURCE POLICY (SRP) is optimal for resourcesharing regular sporadic task systems: if any task system is uniproc. feasible, then EDF + SRP guarantees to schedule it to meet all deadlines
53 Serially reusable shared resources Mixed criticality scheduling without shared resources High criticality Executes for > C i (LO) can abort all low-criticality jobs Low criticality
54 Serially reusable shared resources Mixed criticality scheduling without shared resources Problem: Design an efficient, certifiable strategy for arbitrating access to shared resources for mixedcriticality sporadic task systems High criticality Executes for > C i (LO) may be unsafe to abort the lower-criticality job Low criticality shared resource
55 Context and conclusions Platform-sharing is here to stay Different certification criteria for different systems - must be validated to different levels of assurance Current practice: space-time partitioning is inefficient - in resource usage: Size, Weight, and Power (SWaP) - in certification effort Needed: Certifiably correct techniques for implementing mixedcriticality systems - A formal model for mixed-criticality workloads - generated by recurrent tasks - that share non-preemptable resources
56