Litmus-RT plugins for global static scheduling of mixed criticality systems

https://doi.org/10.1016/j.sysarc.2021.102221Get rights and content

Abstract

Global static scheduling for Mixed Criticality (MC) systems demonstrates excellent results in terms of acceptance ratio and number of preemptions. But, no practical implementation and empirical evaluation have been presented yet for multi-processors systems. Moreover, the new kernel mechanisms it would require have not been studied.

In this paper, we present two contributions on the implementation of global static schedulers For MC systems: G-RES, a global table-driven reservations LITMUSRT plugin, and G-MCRES, another LITMUSRT plugin scheduling MC tasks with global table-driven reservations and enforcing safe criticality mode changes. These contributions aim to solve the problems of instantaneous migrations and simultaneous mode changes in the context of global static schedulers. We based our experiments on scheduling tables generated off-line by GMH-MC-DAG, a meta-heuristic to schedule multiprocessor systems composed of multi-periodic Directed Acyclic Graphs of Mixed Criticality tasks with multiple criticality levels. The performances are very good w.r.t those of LITMUSRT and consistent with our temporal complexity evaluations.

Introduction

The adoption of multicore architectures in critical real-time systems leads to sharing more and more functionalities within a common execution platform. In traditional approaches such as the one proposed by the ARINC 653 architecture [1], in order to ensure safety constraints, only functionalities of the same criticality level share resources. This constraint limits the deployment of functionalities on multicore architectures to partitioned approaches, leading to a waste of resources [2]. To overcome this problem, the mixed criticality (MC) model proposes to execute tasks of different criticality levels on a common platform.

When a system runs in nominal mode, tasks are executed with an “optimistic” budget such as the worst-cast execution time (WCET) estimated by the system designer. When a task does not complete its execution within its optimistic budget, the system enters a higher criticality mode. Typically, only higher criticality tasks continue to run and use a “pessimistic” budget, such as the WCET determined by a certification authority.

Many contributions for scheduling such systems on multi-processor architectures have been proposed in the literature [3]. Although, at the margin, few contributions demonstrate their survivability characteristics during run-time [4], most of these approaches have not demonstrated their usability in the critical systems industry. First, most of them partition the multicore system into multiple single-core subsystems at the cost of wasting resources. Second, most of them do not consider dependent tasks, although this model corresponds to the majority of industrial systems like those based on data flow graphs (SCADE, Simulink, …). Third, the proposed scheduling algorithms may require significant modifications in an already certified real-time kernel. Finally, the approaches are often complex, not only because they integrate the complexity of multicore schedulers but also because they must ensure safe changes of execution mode.

As a consequence, few or no practical implementation and empirical evaluation have been presented yet. This is a major concern since schedulability performances also depend on scheduler implementation overheads. These overheads have many possible sources. In multicore platforms, preemptions and migrations are the number one source of issues. This paper aims at designing efficient execution platforms for global MC schedulers. To illustrate the discussion, we propose as a case study the implementation of GMH-MC-DAG1 on top of LITMUSRT. In other words, we use the scheduling tables generated off-line by GMH-MC-DAG as inputs to evaluate the proposed scheduler implementation.

GMH-MC-DAG is a good candidate for our study as it defines a meta-heuristic to schedule multicore systems composed of multi-periodic Directed Acyclic Graphs (DAG) of Mixed Criticality (MC) tasks. This approach produces offline scheduling tables supporting DAGs of real-time tasks with more than two criticality levels as often proposed in standards related to dependable system (e.g. Design Assurance Levels (DAL) in DO-178). GMH-MC-DAG also relies on time-triggered scheduling to improve the certifiability of the MC scheduler.

This paper is organized as follows. In Section 2 we give an overview of related works. Section 3 describes the objectives of this contribution. In Section 4, we give an overview of our case study which consists in the execution on top LITMUSRT of scheduling tables generated off-line by GMH-MC-DAG algorithm. Section 5 presents our contribution to LITMUSRT to support a global reservation-based scheduling through our G-RES plugin. From this first contribution, we describe in Section 6 our G-MCRES LITMUSRT plugin to enforce safe criticality mode changes, and we discuss the temporal complexity of the overall solution. In Section 7, we provide empirical overhead and latency results on the implementation of these two plugins. We conclude and give some perspectives in Section 8.

Section snippets

Related works

Supporting a very complete MC task model and providing an effective execution platform for it is an important topic for the real-time system community. Many theoretical works but little practical implementations have already been studied. First, we discuss the execution kernels that can support mixed criticality systems. Second, we present scheduling contributions that offer a rich MC task model at a reasonable cost in terms of kernel implementation or extension.

Problem statement

This section highlights two major issues when it comes to implement efficient mixed criticality schedulers.

From now, we use processor to designate the computing unit running a task let it be a core, a core thread or a processor in a multi-processor platform. Indeed, most global algorithms rely at some point on a global state transition. Such a transition often relies on scheduling event handlers that are atomic (and thus mutually exclusive to each other among processors). An alternative

Background

In this section we introduce the task model we are targeting, then we present previous results related to GMH-MC-DAG scheduling on N-criticality systems. For more details, the reader should refer to [18] for the core approach and to [19] for the extensions (N criticality levels and optimizations of the offline part). Finally, we discuss the issues in supporting the online part of GMH-MC-DAG on a representative real-time kernel such as LITMUSRT.

G-RES plugin

As already said, we have to schedule table-driven periodic tasks on multiple processors. LITMUSRT does already support reservation based scheduling through the P-RES plugin and proposes three policies, periodic polling, sporadic polling and table-driven. This implementation enforces only partitioned schedules of tasks on multiprocessor architectures. Thus, it does not have to deal with issues raised when migrating threads or sharing reservations between processors (threads embody tasks in LITMUS

G-MCRES plugin

This section describes the core features required to enforce mixed criticality global static scheduling. It explains why a budget overrun is easier to detect in the case of table-driven schedulers, and how we implement system-wide criticality mode changes in both directions in our G-MCRES plugin for LITMUSRT.

We also show how our approach guarantees the correctness of a mode change even in the presence of simultaneous or near- simultaneous scheduling events. Then we evaluate the temporal

Experiments

Unless specified otherwise, the tests have been performed on a Hewlett-Packard EliteBook 840 G2 laptop running LITMUSRT with our G-MCRES plugin. The processor is an Intel Core i7-5600U CPU running at 2.6 GHz with 2 physical cores and 4 threads. In this section, we will use the term “core” to designate an autonomous execution unit, which can be either a physical core or a thread within a physical core.

Conclusion

This paper presents the design of run-time mechanisms that enable the deployment of global table driven schedules to support the GMH-MC-DAG task model and scheduling approach. We pointed out that this model is leveraging important limitations of MC task models as it allows expressing precedence constraints and several criticality levels. In addition to this, we selected this scheduling approach because it targets time triggered architectures that are particularly easy to verify and certify. We

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Acknowledgment

The authors would like to thanks Louise Flick for having implemented the first draft of G-RES plugin.

Laurent Pautet is a Professor at Telecom Paris. His research activities focus on design and validation of critical embedded systems (non-functional properties verification, real-time scheduling, real-time kernels). He contributes technically and scientifically to several international free software projects such as GNAT/GCC. He is also a member of standard committees such as AADL’s one. He is the author or co-author of more than 25 papers in international journals, more than 100 papers in

References (26)

  • ZhouYuanbin et al.

    Scheduling optimization with partitioning for mixed-criticality systems

    J. Syst. Archit.

    (2019)
  • BaruahSanjoy et al.

    Expressing survivability considerations in mixed-criticality scheduling theory

    J. Syst. Archit.

    (2020)
  • KyriakakisEleftherios et al.

    A time-predictable open-source ttethernet end-system

    J. Syst. Archit.

    (2020)
  • ARINC 653 — Avionics application software standard interface

    (2003)
  • BurnsAlan et al.

    Mixed Criticality Systems-A Review

    (2019)
  • ChisholmMicaiah et al.

    Reconciling the tension between hardware isolation and data sharing in mixed-criticality, multicore systems

  • Sanjoy Baruah, Gerhard Fohler, Certification-cognizant time-triggered scheduling of mixed-criticality systems, in:...
  • DelangeJulien et al.

    Code generation strategies from AADL architectural descriptions targeting the high integrity domain

    Embedded Real Time Software and Systems (ERTS2008)

    (2008)
  • DavisRobert I. et al.

    Mixed criticality systems with varying context switch costs

  • TrujilloSalvador et al.

    MultiPARTES: Multicore virtualization for mixed-criticality systems

  • JeanXavier et al.

    Ensuring robust partitioning in multicore platforms for IMA systems

  • Namhoon Kim, Jeremy Erickson, James H. Anderson, Mixed-criticality on multicore (MC2): A status report, in: Proceedings...
  • Jens Theis, Gerhard Fohler, Sanjoy Baruah, Schedule table generation for time-triggered mixed criticality systems, in:...
  • Cited by (0)

    Laurent Pautet is a Professor at Telecom Paris. His research activities focus on design and validation of critical embedded systems (non-functional properties verification, real-time scheduling, real-time kernels). He contributes technically and scientifically to several international free software projects such as GNAT/GCC. He is also a member of standard committees such as AADL’s one. He is the author or co-author of more than 25 papers in international journals, more than 100 papers in international conferences. He is an editor and a contributor to several books in the area of distributed real-time embedded systems.

    Thomas Robert received his Ph.D. degree from Institut Polytechnique de Toulouse. This work tackled run-time mechanisms to monitor real-time system behavior. Since 2009, he is an Associate Professor at Telecom Paris, a member of the Institut Polytechnique de Paris. He is doing his research in the LTCI lab. His research is organized on two axes: models to design and monitor scheduling algorithms of real-time embedded systems, and quantitative security risk analysis for industrial networked systems.

    Samuel Tardieu is an Associate Professor at Telecom Paris, and a member of the LTCI lab and Institut Polytechnique de Paris. His research areas encompass real-time embedded operating systems operating under safety critical constraints. Also a free software movement activist for 25 years, he developed or contributed to many free software projects including the first implementation of Ada distributed system annex for the GNAT compiler.

    View full text