Mixed Criticality Systems with Weakly-Hard Constraints Oliver - - PowerPoint PPT Presentation
Mixed Criticality Systems with Weakly-Hard Constraints Oliver Gettings Sophie Quinton Rob Davis University of York INRIA Grenoble University of York oliver@cs.york.ac.uk sophie.quinton@inria.fr rob.davis@york.ac.uk Mixed Criticality
INRIA Grenoble
sophie.quinton@inria.fr
University of York
rob.davis@york.ac.uk
University of York
n
n
Criticality is the required level of assurance against failure
n
Mixed Criticality Systems contain applications of at least two criticality levels
n
Examples: Aerospace – Flight Control Systems v. Surveillance Automotive – Electric Power Steering v. Cruise Control
n
n
Driven by Size, Weight and Power (SWaP) and cost requirements
n
Applications with different criticalities (safety critical, mission critical etc.) on the same HW platform
n
n
Dual-Criticality - Applications of HI and LO criticality
2
n
n
Separation – must ensure that LO-criticality applications cannot impinge on those of HI-criticality
n
Sharing – want to allow LO- and HI-criticality applications to use the same resources for efficiency
n
n
Concept of a criticality mode (LO or HI)
n
LO and HI-criticality applications must meet their time constraints in LO-criticality mode
n
Only HI-criticality applications need meet their time constraints in HI- criticality mode (?)
n
n
Idea of different LO- and HI-criticality WCET estimates for the same code
n
Certification authority requires pessimistic approach to 𝐷"#
n
System designers take a more realistic approach to 𝐷$%
3
n
n
(, 𝐸(, 𝐷(,𝑀()
n
𝑈
( - Task period or minimum inter-arrival time
n
𝐸( - Relative deadline
n
𝐷(
/ - WCET of 𝜐( at criticality level 𝑚
n
𝑀( - Designated criticality level for 𝜐(
n
n
n
4
n
n
If a HI-criticality task executes for its 𝐷$% without signalling completion then no further jobs of LO-criticality tasks are started1 and the system enters HI-criticality mode
n
This frees up processor bandwidth to ensure that HI-criticality tasks can meet their deadlines in HI-criticality mode
n
But, … it has the drawback that LO-criticality functionality is completely abandoned
1Any partially executed job of each LO-criticality task may complete
5
Job released Deadline Met
τi
t
y
τi Executing
Ci
LO
Ci
HI
HI Mode LO Mode
τk
t
y
Ck
LO
HI Mode LO Mode
τk Preempted τk Executing
6
After Criticality change, 𝜐( assumed to execute up to 𝐷(
"#
No more releases
criticality change
𝐼𝐽 criticality task 𝑀𝑃 criticality task
𝑀𝑃-criticality mode 𝑆(
$% = 𝐷( $% +
; 𝑆(
$%
𝑈
<
𝐷
< $% <∈>?(()
𝐼𝐽-criticality mode 𝑆(
"# = 𝐷( "# +
; 𝑆(
"#
𝑈
<
𝐷
< "# <∈𝒊𝒒𝑰𝑱(()
Mode change transition 𝑆(
∗ = 𝐷( "# +
; 𝑆(
∗
𝑈
<
𝐷
< "# <∈𝒊𝒒𝑰𝑱(()
+ ; 𝑆(
$%
𝑈
7
𝐷7
$% 7∈𝒊𝒒𝑴𝑷(()
7 Interference from higher priority LO-criticality tasks
n
AMC-rtb analysis assumes (pessimistically) that all jobs of 𝐼𝐽- criticality tasks execute with their 𝐷"# values
n
AMC-max removes this pessimism
8
Job released Deadline Met
τi
t
y
τi Executing
Ci
LO
Ci
HI
HI Mode LO Mode
𝑁 𝑗, 𝑧, 𝑢 = 𝑛𝑗𝑜 𝑢 + 𝑧 + 𝐸( 𝑈
(
, 𝑢 𝑈
(
Calculates number
criticality change up to t
AMC-max Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) at time y
𝑆(
M = 𝐷( "# +
; 𝑧 𝑈
7
+ 1 𝐷7
$% +
; 𝑁 𝑘, 𝑧,𝑆(
M 𝐷 < "# +
𝑆(
M
𝑈
<
− 𝑁 𝑘,𝑧,𝑆(
M
𝐷<
$% <∈𝒊𝒒𝑰𝑱(() 7∈𝒊𝒒𝑴𝑷(() n
Values of 𝑧 that need to be assessed are bounded by 0 and 𝑆$%.
n
Values of 𝑧 at which response time may change correspond to releases of higher priority, 𝑀𝑃-criticality tasks: 𝑆(
∗ = max 𝑆( M ∀𝑧 where 𝑧 ∈ 𝑙𝑈 < ∀𝑘 ∈ ℎ𝑞𝑀𝑃 𝑗 ∧ 𝑧 ≤ 𝑆( $% ∀𝑙 ∶ ℕ
9
n
n
Is not acceptable in many real systems
n
May lead to loss of important functionality as 𝑀𝑃-criticality tasks are still critical (not non-critical)
n
n
Aims to address the abandonment problem by combining AMC with an existing concept called Weakly-Hard
n
Provides a guaranteed minimum quality of service for 𝑀𝑃-criticality tasks in 𝐼𝐽-criticality mode – graceful degradation
10
n
n
Proposed in 2001 by Guillem Bernat et al.
n
Guarantees that (m − 𝑡 ) out of any m deadlines are met via (somewhat complex) offline analysis
n
n
Combines a simple interpretation of the weakly-hard concept with existing AMC policy and schedulability analysis
n
Allows 𝑡 out of m 𝑀𝑃-criticality jobs to be skipped in 𝐼𝐽-criticality mode to reduce the load on the system
n
Still provides a level of service to 𝑀𝑃-criticality applications, since (m − 𝑡 )
n
Gives system designer flexibility to provide graceful degradation for 𝑀𝑃-criticality applications
11
2 4 6 8 10 12 14 16 18 t
τk
Criticality Mode Change LO Mode HI Mode
Job released Deadline Met
τk Executing τk Job
Skipped
12 𝑀𝑃 criticality task
Skips a number of consecutive jobs in a cycle
§ Skip 𝑡 jobs in next 𝑛 releases § Repeat this cycle indefinitely in 𝐼𝐽-criticality mode § Number of skipped jobs is strictly bounded (m − 𝑡 ) out of m deadlines met
1 2 3 4 5 6 7 8 9
τk Job Skipped
Job released t Deadline Met
τk τk Executing mkTk n=1 n=2 n=3
13
𝑢 𝑈
7
− ; 𝑢 − 𝑛7 − 𝑜 𝑈
7
𝑛7𝑈
7 \] ^_`
𝐷7
𝜐( = 𝑈
(, 𝐸(, 𝐷(,𝑀(,𝑡(,𝑛(
𝑛 is length of a cycle 𝑡 is number of skipped jobs in a cycle n is index of a skipped job
𝑀𝑃 Criticality Mode 𝑆(
$% = 𝐷( $% + ∑ bc
de
fg
𝐷
< $% <∈𝒊𝒒(()
𝐼𝐽 Criticality Mode 𝑆(
"# = 𝐷( $c +
; 𝑆(
"#
𝑈
<
𝐷
< "# <∈𝒊𝒒𝑰𝑱(()
+ ; 𝑆(
"#
𝑈
7
− ; 𝑆(
"# − 𝑛7 − 𝑜 𝑈 7
𝑛7𝑈
7 \] ^_` h 7∈𝒊𝒒𝑴𝑷 (
𝐷7
$%
14
Worst case assumes skips are at the end
15
2 4 6 8 10 12 14 16 18
τk Job Skipped
Job released t Deadline Met
τk τk Executing
Ri
LO
mkTk
LO Mode HI Mode
xk
mkTk
First release of job after Criticality Mode Change 𝑦7 = 𝑆(
$%
𝑈
7
𝑈
7
Skips starts on first release after mode change
Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) : 𝐼𝐽 Criticality Tasks
𝑆(
∗ = 𝐷( "# +
; 𝑆(
∗
𝑈
<
𝐷<
"# <∈𝒊𝒒𝑰𝑱(()
+ ; 𝑆(
∗
𝑈
7
− ; 𝑆(
∗ − 𝑛7 − 𝑜 𝑈 7 − 𝑦7
𝑛7𝑈
7 h j] ^_\] 7∈𝒊𝒒𝑴𝑷 (
𝐷7
$%
Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) : 𝑀𝑃 Criticality Tasks 𝑆(
∗ = 𝐷( $% +
; 𝑆(
∗
𝑈
<
𝐷
< "# <∈𝒊𝒒𝑰𝑱(()
+ ; 𝑆(
∗
𝑈
7
𝐷7
$% 7∈𝒊𝒒𝑴𝑷(()
16
No skipping assumed for higher priority 𝑀𝑃- criticality task. Assumes skips are at the start of each cycle
n
n
Analysing 𝐼𝐽-criticality: Assumes all 𝐼𝐽-criticality jobs up to 𝑆∗ execute with their 𝐷"# values AND
n
Analysing 𝑀𝑃-criticality: Assumes no skipping of 𝑀𝑃-criticality jobs up to 𝑆∗.
n
AMCmax-WH analysis remove these sources of pessimism by taking into account the points at which a criticality mode change could occur
n
Analysis for 𝑀𝑃- and 𝐼𝐽-criticality modes is same as AMCrtb-WH
17
Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) at time y First release of job after Criticality Mode Change 𝑨7 =
M f] 𝑈 7
18
τk Job Skipped
Job released t Deadline Met
τk τk Executing
y mkTk
LO Mode HI Mode
zk
mkTk
Criticality Mode Change (𝑀𝑃 → 𝐼𝐽) : All Tasks 𝑆(
∗ = max 𝑆( M ∀Mwhere 𝑧 ∈ 𝑙𝑈 < ∀𝑘 ∈ ℎ𝑞𝑀𝑃 𝑗 ⋀ 𝑧 ≤ 𝑆( $% ∀𝑙 ∶ ℕ
n
For 𝐼𝐽-criticality tasks, 𝑧 checked for values up to 𝑆$%
n
For 𝑀𝑃-criticality tasks 𝑧 is increased until 𝑆∗ converges below the current value of 𝑧
19
𝑆(
M = 𝐷( $( +
; 𝑆(
M
𝑈
7
− ; 𝑆(
M − 𝑛7 − 𝑜 𝑈 7 − 𝑨7
𝑛7𝑈
7 h j] ^_\] 7∈𝒊𝒒𝑴𝑷 (
𝐷7
$%
+ ; 𝑁 𝑘, 𝑧,𝑆(
M 𝐷 < "# +
𝑆(
M
𝑈
<
− 𝑁 𝑘,𝑧,𝑆(
M
𝐷<
$% <∈𝒊𝒒𝑰𝑱(()
Jobs of LO-criticality task k skipped after the criticality mode change at time 𝑧 Jobs of HI-criticality task k only take CHI values after the criticality mode change at time 𝑧
§ UB-H&L - Composite upper-bound on schedulability § AMC-max – Baruah et al. 2011 [3] § AMC-rtb - Baruah et al. [3] § SMC – SMC-NO with budget enforced execution for LO-criticality tasks [3] § SMC-NO - Vestal’s original analysis [29] § AMCmax-WH - Weakly-Hard version of AMC-max § AMCrtb-WH - Weakly-Hard version of AMC-rtb § FPPS – Fixed priority preemptive scheduling with run-time monitoring to prevent LO-criticality tasks overrunning § CrMPO – Criticality Monotonic Priority Ordering. Tasks ordered by criticality then by DMPO within the two partitions
20
n
n
Uniformly distributed utilisation values generated with UUnifast
n
𝑈 randomly assigned from a Log uniform distribution between 10 and 1000
n
𝐷(
$% = 𝑉(/𝑈 (
n
Criticality Factor (CF)
n
𝐷(
"# = 𝐷( $% ∗ 𝐷𝐺
n
Criticality Probability (CP) - probability that a task will be 𝐼𝐽-criticality
n
n
Plotted against 𝑀𝑃-criticality utilisation
n
Solid lines represent policies that guarantee some 𝑀𝑃-criticality task deadlines are met in 𝐼𝐽-criticality mode.
n
Dashed lines represent polices that de-schedule or permit deadline misses
21
22
AMC-WH dominates CrMPO and FPPS AMC-WH dominated by AMC
n
n
Enables overall comparisons when varying a specific parameter (not just utilisation)
n
Combines results form of a set of equally spaced utilisation levels
∀•
∀•
n
Collapses all data on a success ratio plot for a given method, into a single point on a weighted schedulability graph Weighted schedulability is effectively a weighted version of the area under a success ratio curve biased towards scheduling higher utilisation message sets
23
24
Less pessimistic analysis of 𝑀𝑃- criticality tasks in HI-criticality mode with AMCmax-WH v. AMCrtb-WH
25
𝑡 = 𝑛 => AMC 𝑡 = 0 => FPPS
n
n
Combines AMC protocol, with a simple interpretation of Weakly Hard constraints
n
Provides guaranteed minimum Quality of Service (QoS) for 𝑀𝑃-criticality tasks 𝐼𝐽-criticality mode, meet (m - s) out of m deadlines
n
Performance scales between AMC and FPPS
n
n
n
Permit weakly-hard behaviour in any criticality mode, where each task is assigned a set of weakly hard constraints per criticality level
n
Investigate recovery to 𝑀𝑃-criticality mode
26
27