Multicore for safety-critical embedded systems: challenges and - - PowerPoint PPT Presentation

Multicore for safety-critical embedded systems: challenges and opportunities

Giuseppe Lipari

CRIStAL – Université de Lille

Centre de Recherche en Informatique, Signal et Automatique de Lille

June 23, 2016

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 1 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 2 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 3 / 46

Real-Time Systems

Most real-time systems are concurrent

need to handle many events with different temporal characteristics

Periodic events

In control systems, periodic sampling, computation of the control algorithm, actuation Different events may have different periods

Aperiodic events

May be triggered by the external environment Examples: a sensor triggers an interrupt, a packet arrives from the network

Different events are handled by different tasks that run concurrently Constraints: each task instance must complete before a certain instant (deadline) Scheduling problem: how to interleave tasks executions so that each task instance meets its deadline

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 4 / 46

Task model

A periodic task τi = (Ci, Di, Ti) consists of a (infinite) sequence of jobs Ji,k = {ai,k, ci,k, di,k} k = 0, 1, 2, . . ., with: ai,0 = 0 ∀k > 0 ai,k = ai,k−1 + Ti ∀k ≥ 0 di,k = ai,k + Di Ci = max{k ≥ 0|ci,k} Pseudo-code for a periodic task:

void * PeriodicTask(void *arg) { <initialization>; <start periodic timer, period = T>; while (cond) { <read sensors>; <update outputs>; <update state variables>; <wait next activation>; } }

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 5 / 46

Example of schedule

Every task τi is assigned a fixed priority pi; the active task with the highest priority is executed on the processor

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 6 / 46

Scheduling analysis

Theorem (Liu and Layland, 1973)

Consider n periodic (or sporadic) tasks with relative deadline equal to periods, whose priorities are assigned in Rate Monotonic order. Then, U =

N

• i=1

Ci Ti ≤ Ulub = n(21/n − 1) Ulub is a decreasing function of n; For large n: Ulub → 0.69

n Ulub n Ulub 2 0.828 7 0.728 3 0.779 8 0.724 4 0.756 9 0.720 5 0.743 10 0.717 6 0.734 11 . . .

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 7 / 46

Dynamic priority

The most important (and analysed) dynamic priority algorithm is Earliest Deadline First (EDF)

The priority of a job (instance) is inversely proportional to its absolute deadline;

Example with U = 23

24

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 8 / 46

Scheduling analysis

Theorem (Optimality, Dertouzos ’73)

If a set of jobs J is schedulable by an algorithm A, then it is schedulable by EDF.

Theorem (Liu & Layland ’71)

Given a task set of periodic or sporadic tasks, with relative deadlines equal to periods, the task set is schedulable by EDF if and only if U =

N

• i=1

Ci Ti ≤ 1

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 9 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect

In case of overhead (U > 1), in EDF we have the domino effect: it means that all tasks miss their deadlines. An example of domino effect is the following:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 10 / 46

Domino effect and fixed priority

FP is more predictable: only lower priority tasks miss their deadlines! In the previous example, if we use FP:

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3 τ4

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 11 / 46

Execution time and schedulability

The analysis depends on the worst-case execution time Ci of each task As we have seen in the previous slides, a wrong estimate may lead to a deadline miss How to compute the WCET of tasks ?

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 12 / 46

WCET estimation

Execution time of a task varies with

The input The state of the system The processor architecture Interference from other threads

How to compute

By timing analysis (by using appropriate tools) we can obtain a (safe) upper bound, but sometimes too pessimistic By testing we can only obtain an unsafe lower bound

Problem

A wrong estimate may lead to a wrong analysis

Courtesy of Peter Puschner Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 13 / 46

Execution time variability: example

Tasks can have variable execution times between different jobs

while (cond) { if (a > 10) { // long computation } else { // short computation } a = getInput(); }

We have two sources of variability:

the value of variable a influences which computation is performed (long

• r short);

the value of cond influences the number of times the loop body is executed.

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 14 / 46

Impact of processor architecture

With recent processor architectures, the difference between BCET and WCET became larger and larger

Figure : Courtesy of AbsInt

Impact of cache and shared resources Situation even worse on multi-core systems

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 15 / 46

Impact of interference

WCET Analysis

it is difficult to estimate a tight upper bound of WCET when the task executes in isolation

Preemption:

preempting tasks could evict cache lines next time the task executes the data is not in the cache anymore

while (i < 10) { data = getInput(); // ... // possible preemption function(data); // is data in cache ? }

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 16 / 46

Impact of interference

WCET Analysis

it is difficult to estimate a tight upper bound of WCET when the task executes in isolation

Preemption:

preempting tasks could evict cache lines next time the task executes the data is not in the cache anymore

while (i < 10) { data = getInput(); // ... // possible preemption function(data); // is data in cache ? }

Some (partial) solution is available

avoid (or limit) preemption → additional blocking time for higher priority tasks lock cache to some task try to minimise cache conflicts by properly placing tasks in memory

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 16 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 17 / 46

Resource Reservation

Assign each task to a server

a watchdog that monitors execution and enforces an execution budget

A server S = (Q, P)

Q: maximum execution budget P: minimim serving period U = Q/P: reserved bandwidth

Different algorithms in the literature

FP: Polling Server, Deferrable Server, Sporadic Server EDF: Dynamic Sporadic Server, Constant Bandwidth Server

Implementations

Sporadic Server is a POSIX standard (optional) CBS implemented in Linux (since 3.14), (available as SCHED_DEADLINE)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 18 / 46

Example

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) U = 0, 983 < 1 ⇒ schedulable

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 19 / 46

Misbehaving task

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) What happens if τ1 executes for 2 for the first 3 instances ?

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 miss their deadlines They could be critical tasks, we need to protect them

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 20 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

Example with CBS

Consider τ1 = (1, 4), τ2 = (2, 5), τ3 = (2, 6) Assign τ1 a server S1 = (1, 4)

2 4 6 8 10 12 14 16 18 20

τ1 τ2 τ3 τ2 and τ3 are not influenced

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 21 / 46

CBS algorithm properties

CBS takes care of other possible cases

jobs arriving earlier (or later) than expected jobs executing more or less than expected server period can be different from task period

Properties:

Temporal isolation: no server misses its "scheduling deadlines"

all server jobs execute the maximum budget before their scheduling deadlines

Hard Schedulablity: if a task is assigned Qi ≥ Ci and Pi ≤ Ti, then it will never miss its deadlines

Thanks to this properties we can easily mix hard and soft real-time tasks simply by assigning the correct parameters (budget/periods)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 22 / 46

CBS algorithm

Two dynamic variables

q: remaining budget (init to Q, decreases while executing) d: scheduling deadline

Idle Idle Active Ahead

q = Q , d = t + P if q < (d − t)Q/P i f q ≥ ( d − t ) Q / P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 23 / 46

CBS algorithm

Two dynamic variables

q: remaining budget (init to Q, decreases while executing) d: scheduling deadline

Idle Active Active Ahead

q = Q , d = t + P q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 23 / 46

CBS algorithm

Two dynamic variables

q: remaining budget (init to Q, decreases while executing) d: scheduling deadline

Idle Active Active Ahead

q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 4: q ← 2

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 23 / 46

CBS algorithm

Two dynamic variables

q: remaining budget (init to Q, decreases while executing) d: scheduling deadline

Idle Active Ahead Ahead

q = Q, d = t + P if q < (d − t)Q/P if q < (d − t)Q/P i f q ≥ ( d − t ) Q / P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 4: q ← 2 t = 7: q ← 1

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 23 / 46

CBS algorithm

Two dynamic variables

q: remaining budget (init to Q, decreases while executing) d: scheduling deadline

Idle Idle Active Ahead

q = Q , d = t + P if q < (d − t)Q/P i f q ≥ ( d − t ) Q / P when q = (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 4: q ← 2 t = 7: q ← 1 t = 9: zero lag time

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 23 / 46

CBS algorithm: early arrival

Idle Idle Active Ahead

q = Q , d = t + P if q < (d − t)Q/P i f q ≥ ( d − t ) Q / P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

CBS algorithm: early arrival

Idle Active Active Ahead

q = Q , d = t + P q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

CBS algorithm: early arrival

Idle Active Active Ahead

q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 2: q ← 2

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

CBS algorithm: early arrival

Idle Active Ahead Ahead

q = Q, d = t + P if q < (d − t)Q/P if q < (d − t)Q/P i f q ≥ ( d − t ) Q / P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 2: q ← 2 t = 5: q ← 1

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

CBS algorithm: early arrival

Idle Active Active Ahead

q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 2: q ← 2 t = 5: q ← 1 t = 8 < 9: reuse the same q = 1 and d = 12

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

CBS algorithm: early arrival

Idle Active Active Ahead

q = Q , d = t + P if q < (d − t)Q/P if q ≥ (d − t)Q/P when q = (d − t)Q/P

Q = 4, P = 12

2 4 6 8 10 12 14 16

τ1 t = 0: q ← 4, d ← 12 t = 2: q ← 2 t = 5: q ← 1 t = 8 < 9: reuse the same q = 1 and d = 12 t = 9: q = 0, so q ← 4 and d ← 24

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 24 / 46

Analysis

Setting the budget

the Hard Schedulability Property tells us that, to meet all deadlines, Qi ≥ Ci and Pi ≤ Ti If we allow some deadline to be missed, we can set the budget between the average value and the worst case value of the execution time We need some sort of probabilistic characterization of the execution time

Probability of deadline miss

For a periodic task, given the stochastic process of the execution time, the probability of missing a deadline can be computed under different conditions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 25 / 46

Probability of finishing time

When the budget is exhausted, the CBS will postpone the deadline by Pi

If the exceeding job is allowed to continue its execution, it will consume budget of future instances Future instance may also miss their deadlines

Markov chain model [Abeni and Buttazzo, 1999]

if the execution time is a IID stochastic variable, we can build a Markov Chain to compute the probability of finishing within Pi, 2Pi, . . . , kPi, . . .

Refinement [Palopoli, Fontanelli, Abeni, Villalba Frias, 2015]

Efficient numerical methods Closed form solution

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 26 / 46

Stopping and skipping

If the budget is exhausted we can

1

Continue executing all jobs

2

Kill the executing job

3

Skip the next job

Solution 2. is more difficult to implement

must leave data structures in a consistent state must unlock semaphores before exiting may need to roll-back some operation (time consuming)

Solution 3. is not always desirable

the data is produced late and may not be useful

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 27 / 46

Skipping next job

Here is a periodic POSIX thread in Linux, implementing solution 3.

void *thread_code(void *arg) { struct per_data *ps = (struct per_data *) arg; struct timespec next, now; clock_gettime(CLOCK_REALTIME, &next); while (1) { // Wait until next period timespec_add_us(&next, ps->period_us); clock_nanosleep(CLOCK_REALTIME, TIMER_ABSTIME, &next, NULL); // Job execution // Check deadline miss clock_gettime(CLOCK_REALTIME, &now); while (timespec_cmp(&now, &next) > 0) { // Skip jobs timespec_add_us(&next, ps->dline_us); } } return NULL; }

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 28 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 29 / 46

Hierarchical systems

Similar techniques are used for timing partition of applications (group

• f tasks)

T3 T4 T5 T7 T6 Global Scheduler Server S1 Server S2 Server S3 Local Scheduler

RM

Local Scheduler

POSIX

T2 T1 Local Scheduler

EDF

Application A2 Application A3 Application A1

Used mainly in IMA (Integrated Modular Avionics – ARINC 653)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 30 / 46

Hierarchical scheduling

Two levels of scheduling

A global scheduler selects the components to execute, regardless of their internal structure When a component is selected by the global scheduler, a local scheduler decides which of the tasks is executing

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 31 / 46

Hierarchical scheduling

Two levels of scheduling

A global scheduler selects the components to execute, regardless of their internal structure When a component is selected by the global scheduler, a local scheduler decides which of the tasks is executing

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 31 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Hierarchical scheduling - example

2 4 6 8 10 12 14 16 18 20 22 24 26

A(2,4) B(3,6) τ A

1 (2, 8)

τ A

2 (2, 12)

τ B

1 (2, 9)

τ B

2 (3, 16) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 32 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 33 / 46

Shared data

Until now, we have considered only independent tasks

a task never blocks or suspends it can only be suspended when it finishes its istance (job)

However, in reality, many tasks exchange data through shared memory

Example

Consider as an example three periodic tasks that exchange data Conflicts on concurrent access could make the data structures inconsistent.

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 34 / 46

Shared resources and critical sections

The shared data structure is called resource; A piece of code accessing the data structure is called critical section; Two or more critical sections on the same resource must be executed in mutual exclusion Therefore, each data structure should be protected by a mutual exclusion mechanism; here we will study what happens when resources are protected by mutual exclusion semaphores.

The resource and the corresponding mutex semaphore will be denoted by symbol Sj

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 35 / 46

Priority inversion

A blocking condition happens when a high priority tasks wants to access a resource that is held by a lower priority task. Consider the following example, where p1 > p2.

2 4 6 8 10 12 14 16 18 20 22 24 τ1 τ2 L(S) S L(S) S U(S) S U(S)

From time 4 to 7, task τ1 is blocked by a lower priority task τ2; this is a priority inversion. Priority inversion is not avoidable; in fact, τ1 must wait for τ2 to leave the critical section. However, in some cases, the priority inversion could be too large.

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 36 / 46

The middle priority task

Consider the following example, with p1 > p2 > p3

2 4 6 8 10 12 14 16 18 20 22 24

τ1 τ2 τ3

L(S) S L(S) S S U(S) S U(S)

The middle priority task delays the high priority task too much! Well-known problem since the ’90s (Mars Pathfinder problem)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 37 / 46

Priority Inheritance Protocol

First solution:

While the low priority task blocks an higher priority task, it inherits the priority of the higher priority task;

2 4 6 8 10 12 14 16 18 20 22 24 τ1 τ2 τ3 L(S) S L(S) S S U(S) S U(S) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 38 / 46

Resource reservation and semaphores

Two problems arise when using CBS with priority inheritance

What to do if the budget is exhausted within a critical section? What happens to the budget of a blocked task?

Blocking inside a critical section

2 4 6 8 10 12 14 16 18 20

τ1 τ2

L(S)

S

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 39 / 46

Resource reservation and semaphores

Two problems arise when using CBS with priority inheritance

What to do if the budget is exhausted within a critical section? What happens to the budget of a blocked task?

Blocking inside a critical section

2 4 6 8 10 12 14 16 18 20

τ1 τ2

L(S)

S

q = 0 Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 39 / 46

Resource reservation and semaphores

Two problems arise when using CBS with priority inheritance

What to do if the budget is exhausted within a critical section? What happens to the budget of a blocked task?

Blocking inside a critical section

2 4 6 8 10 12 14 16 18 20

τ1 τ2

L(S)

S

L(S) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 39 / 46

Resource reservation and semaphores

Two problems arise when using CBS with priority inheritance

What to do if the budget is exhausted within a critical section? What happens to the budget of a blocked task?

Blocking inside a critical section

2 4 6 8 10 12 14 16 18 20

τ1 τ2

L(S)

S

L(S) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 39 / 46

Resource reservation and semaphores

Two problems arise when using CBS with priority inheritance

What to do if the budget is exhausted within a critical section? What happens to the budget of a blocked task?

Blocking inside a critical section

2 4 6 8 10 12 14 16 18 20

τ1 τ2

L(S)

S

L(S)

S

U(S)

S

U(S) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 39 / 46

Solutions

1 Check budget

before entering the critical section, check if there is enough budget to complete Needs to know the length of the critical sections to work Used by Algorithm BROE [Bertogna et Baruah]

2 Overrun budget

if the budget is exhausted while in a critical section, the job is allowed to continue need to know the length of the critical sections for the analysis and admission control Used by Algorithm SIRAP [Benham et al.]

3 Inherit budget/deadline

When a task blocks another task, it inherits its budget/deadline pair needs to know the length of the critical sections for the analysis (but not for admission control) Used by Algorithm BWI [Lipari et al.]

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 40 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S q = 0

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S L(S)

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S L(S) inheritance

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S L(S) inheritance S U(S)

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Bandwidth Inheritance

In the previous case:

2 4 6 8 10 12 14 16 τ1 τ2 L(S) S L(S) S U(S) S U(S)

Task τ2 inherits the deadline and the budget (so the server) of task τ1 Therefore, it consumes the budget of the other server (rather than its

• wn)

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 41 / 46

Multiprocessor extension

On single-processors, when a task blocks, the lock-owner is not running On multi-processors, when a task blocks

the lock-owner may be running on another core. In this case, the blocking task starts to spin, i.e. it actively waits for the lock-owner to release the resource the lock-owner may be suspended on a different core. In this case, a migration occurs, and the lock owner executes in the server (and hence in the core) of the blocked task

We only consider FIFO blocking queues

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 42 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC C Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC B C C Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC BB C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A BBB C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A BBB L(R1) C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A BBB L(R1) C1 C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A L(R1) BBB L(R1) C1 C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A L(R1) BBB L(R1) C1 C1 U(R1) C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A L(R1) BBB L(R1) C1 C1 U(R1) B1 U(R1) C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A L(R1) A1 U(R1) BBB L(R1) C1 C1 U(R1) B1 U(R1) B C C C1 L(R1) Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Example

3 tasks, τA, τB, τC, executed on 2 processors, that access only Semaphore R1.

2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 SA SB SC A A L(R1) A1 U(R1) A BBB L(R1) C1 C1 U(R1) B1 U(R1) B C C C1 L(R1) C Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 43 / 46

Computing interference

Theorem (Hard schedulability)

Consider a set of reservations schedulable on a system when access to semaphores is not considered. When M-BWI is used as a resource access protocol, hard real-time task τi, with WCET Ci and minimum inter-arrival time Ti, attached to a server Si = (Qi ≥ Ci + Ii, Pi ≤ Ti), never misses its deadline. The interference Ii can be computed with a complex algorithm

a generalization of the Priority Inheritance analysis The complexity is exponential in the number of tasks and length of blocking chains

BWI does not prevent deadlocks!

but can identify them at run time

Currently under implementation in Linux

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 44 / 46

Outline

1

Introduction to RT Systemes

2

Resource Reservations

3

Hierarchical scheduling

4

Multiprocessor sharing of resources

5

Conclusions

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 45 / 46

Resource reservations

Resource reservations are an effective technique for mixing hard and soft real-time tasks Other extensions

resource reclaiming power-aware scheduling adaptive reservations

It has been applied to bus scheduling

MemGuard [Pellizzoni et al.]

Currently available in Linux

companies are already experimenting with it give it a try!

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 46 / 46

Resource reservations

Resource reservations are an effective technique for mixing hard and soft real-time tasks Other extensions

resource reclaiming power-aware scheduling adaptive reservations

It has been applied to bus scheduling

MemGuard [Pellizzoni et al.]

Currently available in Linux

companies are already experimenting with it give it a try!

Open challenges:

combine memory/cache reservation techniques with CPU reservations to improve multicore performance

Giuseppe Lipari (CRIStAL) Multicore for safety-critical embedded systems: challenges and opportunities June 23, 2016 46 / 46