Architectural Support for Real-Time Computing Using Generalized Rate Monotonic Theory

744

計測と制御シテア Vol.31, No.7 集ルタイム分スム特リ散 (1992年7月)

≪展望 ≫

Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory

Lui SHA* and Shirish S. SATHAYE**

Abstract The rate monotonic theory and its generalizations have been adopted by national high technology projects such as the Space Station and has recently been supported by major open standards such as the IEEE Futurebus+ and POSIX. 4. In this paper, we focus on the architectural support necessary for scheduling activities using the generalized rate monotonic theory. We briefly review the theory and provide an application example. Finally we describe the architectural requirements for the use of the theory. Key Words: Real-Time Scheduling, Distributed Real-Time System, Rate Monotonic scheduling

● Stability under transient overload. When the 1. Introduction system is overloaded by events and it is im- Real-time computing systems are critical to an possible to meet all the deadlines, we must industrialized nation's technological infrastructure. still guarantee the deadines of selected critical Modern telecommunication systems, factories, de- tasks. fense systems, aircrafts and airports, space stations Generalized rate monotonic scheduling (GRMS) and high energy physics experiments cannot op- theory allows system developers to meet the erate .without them. In real-time applications, above requirements by managing system concur- the correctness of computation depends upon not rency and timing constraints at the level of task- only its results but also the time at which outputs ing and message passing. In essence, this theory are generated. The measures of merit in a real- ensures that as long as system utilization of all time system include: tasks lies below a certain bound, and appropriate ● Predictably fast response to urgent events. scheduling algorithms are used, all tasks meet

● High degree of schedulability. Schedulability their deadlines. This puts the development and is the degree of resource utilization at or be- maintenance of real-time systems on an analytic, low which the timing requirements of tasks engineering basis, making these systems easier to can be ensured. It can be thought as a mea- develop and maintain. sure of the number of timely transactions per This theory begins with the pioneering work second. by Liu and Layland16' in which the rate monotonic algorithm was introduced for scheduling in- * Software Engineering Institute , Carnegie Mellon dependent periodic tasks. The rate monotonic University, Pittsburgh PA 15213, U.S.A. ** Electrical and Computer Engineering Depart- scheduling (RMS) algorithm gives higher priorities ment, Carnegie Mellon University to periodic tasks with higher rates. RMS is an ** The author is with Digital Equipment Corpora- optimal static priority scheduling algorithm for tion's Distributed Systems Architecture Group, and is also currently a Ph. D candidate at Car- independent periodic tasks with end of period negie Mellon University deadlines. RMS theory has since been generalized

L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory 745

to analyze the schedulability of aperiodic tasks 2. A System Model with both soft deadlines and hard deadlines24), interdependent tasks that must synchronize19),18), In this section we describe a simple model of tasks with deadlines shorter than periods15), tasks a distributed real-time system that serves as a with arbitrary deadlines13), and single tasks having vehicle to illustrate GRMS theory. Fig. 1 shows multiple code segments with different priority a distributed system consisting of several nodes assignment8). RMS has also been extended to connected by a network. Each node in the net- analyze wide area network scheduling23). RMS work is a multiprocessor. Each processor in the has been applied to improve response times of node has a CPU, memory and an operating sys- aperiodic messages in a token ring network25). tem (OS). The processors communicate over a Cache algorithms for real-time systems using RMS shared backplane bus. We assume that the OS were developed in9). and the backplane bus support priority schedul- Because of its versatility and ease of use, GRMS ing. For example the OS could be POSIX. 417) has gained rapid acceptance. For example it is and the backplane could be Futurebus+6),21). The used for developing real-time software in the network could be a token ring25) or a dual link NASA Space Station Freedom Program7), the network23) that support GRMS. European Space Agency5) and is supported by the Each node in the system consists of signal pro- IEEE Futurebus+ Standard6) and IEEE Posix. cessors and control processors. In addition to 417). GRMS has been previously reviewed in20),14) performing signal processing and control func- and22). Uniprocessor scheduling and implications tions, nodes send system status information peri- to Ada tasking is described in20), major theoret- odically to a display node that interfaces with ical results are reviewed in14), some important operators. An operator may send commands to R & D decisions in the development of this theory nodes whenever the need arises. Each signal are examined in22)(1). processor in a node is connected to a sensor. The This paper focuses on architectural support for results of each signal processor are periodically the engineering of distributed real-time systems sent to a tracking processor which is a high per- using GRMS. We first review the essential ele- formance numeric processor dedicated to tracking ments of GRMS that are needed for the develop- the motion of objects. The result of tracking is ment of a distributed system at a relatively fast periodically sent over the bus to the control pro- pace(2). We then illustrate the application of cessor. The control processors are general pur- GRMS in the design of a hypothetical distributed pose computers which perform feedback control real-time system. Finally we describe architectural support for using GRMS. The paper is organized as follows. In Section 2 we describe a distributed real-time system model that will be used to illustrate the application of the theory in the rest of the paper. Section 3 reviews the basic elements of GRMS. Section 4 illustrates the use of the theory. Sections, 5 describes architectural support for application of GRMS. Section 6 has some concluding remarks.

(1) A handbook on using GRMS for real-time system analysis and design is currently under development at the Software Engineering Instit- ute, CMU. (2) Additional examples and illustrations can be found in20). Fig. 1 Block Diagram of Distributed System 746 1992年7月計測と制御第31巻第7号 tasks and communicates with operators via the the other hand, we can deposit one unit of network. service time in a •gticket box•h every 100 units

The architecture utilizes both tasking and mes- of time; when a new •gticket•h is deposited, sage passing paradigms. Application software is the unused old tickets, if any, are discarded. partitioned into allocation units each of which With this approach, no matter when the ape- can be allocated to a processor. An allocation riodic request arrives during a period of 100, unit groups together closely related application it will find there is a ticket for one unit of functions implemented as tasks. Tasks within an execution time at the ticket box. That is, ƒÑ2 allocation unit communicate via shared variables. can use the ticket to preempt ƒÑ1 and execute

Tasks in different allocation units communicate immediately when the request occurs. In this via messages. Allocation units can be freely re- case, ƒÑ2's response time is precisely one unit located as long as the resulting configuration is and the deadlines of ƒÑ1 are still guaranteed. still schedulable. This is the idea behind a class of aperiodic

server algorithms11) that can reduce aperiodic re- 3. Overview of Generalized Rate sponse time by a large factor (a factor of 50 in Monotonic Scheduling this example). We allow the aperiodic servers

In this section we review basic results which to preempt the periodic tasks for a limited dura-

allow us to design a distributed system with fea- tion that is allowed by the rate monotonic sched-

tures described in Section 2. We begin with the uling formula. An aperiodic server algorithm

scheduling of independent periodic and aperiodic called the Sporadic Server that handles hard

tasks. We then address the issues of task syn- deadline aperiodic tasks is described in24). Instead

chronization and the effect of having task dead- of refreshing the server's budget periodically , at lines before the end of their periods. fixed points in time, replenishment is determined

3.1 Scheduling Independent Tasks by when requests are serviced. In the simplest

A periodic task ƒÑi is characterized by a worst approach, the budget is refreshed one period after

case computation time Ci and a period Ti. Unless it has been exhausted, but earlier refreshing is

mentioned otherwise we assume that a periodic also possible.

task must finish by the end of its period. Tasks A sporadic server is only allowed to preempt

are independent if they do not need to synchro- the execution of periodic tasks as long as its com-

nize with each other. A real-time system typical- putation budget is not exhausted. When the

ly consists of both periodic and aperiodic tasks. budget is used up, the server can continue to ex-

The scheduling of aperiodic tasks can be treated ecute at background priority if time is available.

within the rate monotonic framework of periodic When the server's budget is refreshed, its execu-

task scheduling. For example, tion can resume at the server's assigned priority.

Example 1: Suppose that we have two tasks. There is no overhead if there are no requests.

Let ƒÑ1 be a periodic task with period 100 and Therefore, the sporadic server is especially suita-

execution time of 99. Let ƒÑ2 be a server for ble for handling emergency aperiodic events that

an aperiodic request that randomly arrives occur rarely but must be serviced quickly.

once within a period of 100. Suppose one An effective way to implement a sporadic server

unit of time is required to service one request. as follows. When an aperiodic request arrives,

If we let the aperiodic server execute only the system registers the request time. The capac-

in the background, i.e., only after completion ity consumed by this request is replenished one

of the periodic task, then the average re- sporadic period from the request time. This re-

sponse time is about 50 units. The same can plenishment approach guarantees that the aperiod-

be said for a polling server that provides one ic response time is no greater than the sporadic

unit of service time in a period of 100. On period, provided that the system is schedulable L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory 747 and sufficient server capacity is available. That following argument from12). Consider any task is the worst case aperiodic demand request within τn with a period Tn, deadline Dn≦Tn, and com- a duration of the sporadic period is no more putation Cn. Let tasks ƒÑ1 to ƒÑn-1 have higher than the server capacity. In contrast, the worst priorities than ƒÑn. Suppose that all the tasks start case response time for an aperiodic request ser- at time t=0. At any time t, the total cumulative viced by a polling server is bounded by twice demand on CPU time by these n tasks is: the period of the polling server. This occurs Wn(t)=C1[t/T when the request arrives just after the poll. It 1]+…+Cn[t/Tn]=nΣj=1Cj[t/Tj] waits one period for the next poll and up to The term [t/Tj] represents the number of times another period to complete its execution. From task ƒÑj arries during interval [0, t] and therefore a schedulability viewpoint, a sporadic server is Cj_??_t/Tj_??_ represents its demand during interval equivalent to a periodic task that performs pol- [0, t]. For example, let T1=10, C1=5 and t=9. ling, except that it provides better performance. Task ƒÑ1 demands 5 units of execution time. When To determine if a set of independent periodic t=11, task ƒÑ1 has arrived again and has a cumu- tasks is schedulable we introduce the following lative demand of 10 units of execution. theorem16). Suppose that task ƒÑn completes its execution Theorem 1: A set of n independent periodic exactly at time t before its deadline Dn. This tasks scheduled by the rate monotonic algo- means that the total cumulative demand from the rithm will always meet their deadlines for all n tasks up to time t, Wn(t), is exactly equal to task start times, if t, that is, Wn(t)=t. A method for finding the

C1/ completion time of task ƒÑ1, that is, the instance +C2/T2+…+Cn≦n(21/n-1) T1 when Wi(t)=t is given in Fig. 2.

where Ci is the execution time and Ti is the We shall refer to this procedure as the com-

period of task ƒÑi. pletion time test. If all the tasks complete before

Ci/Ti is the utilization of the resource by task their deadlines, then the task set is schedulable.

τi. The bound on the utilization, n(21/n-1), ra- For example,

Example 2: Consider a task set with the fol- pidly converges to ln 2=0.69 as n becomes large.

The bound of Theorem 1 is very pessimistic lowing independent periodic tasks:

because the worst-case task set is contrived and ● Task τ1: C1=20; T1=100; D1=100;

● Task τ2: C2=30; T2=145; D2=145; unlikely to be encountered in practice. The actual ● Task τ3=C3=68; T3=150; D3=150; bound is for given task sets often over 90%. The

remaining utilization can still be used by back- The total utilization of tasks ƒÑ1 and ƒÑ2 is 0.41

which is less than 0.828, the bound for two tasks ground tasks with low priority. To determine if

a set of tasks having utilization greater than the given by Theorem 1. Hence these two tasks are

bound of Theorem 1 can meet their deadlines, we schedulable. However the utilization of these

can use an exact schedulability test based on the

critical zone theorem (rephrased from16)):

Theorem 2: For a set of independent periodic

task ƒÑi meets its first deadline Di•…Ti, when

all the higher priority tasks are started at

the sametime, then it can meet all its future

deadlines with any task start times.

It is important to note that Theorem 2 applies

to any static priority assignment, not just rate

monotonic priority assignment. To check if a

task can meet its first deadline we describe the Fig. 2 Finding minimum t, where Wi(t)=t 748 1992年7月計測と制御第31巻第7号

ahigh priority task is prevented from execut-

ing by a low priority task. Unbounded pri-

ority inversion can occur as shown in the fol-

lowing example.

Example 3: Let τ1 and τ3 share a re-

source and let τ1 have a higher priority.

Let τ2 be an intermediate priority task

Fig. 3 Application of critical zone theorem to task ƒÑ3 that does not share any resource with

either τ1 or τ3. Consider the following three tasks is 0.86 which exceeds 0.779, Theorem scenario:

1's bound for three tasks. Therefore we need to 1. τ3 obtains a lock on the emaphore S apply the completion time test to determine the and enters its critical section to use a schedulability of task ƒÑ3. shared resource,

Fig. 3 shows the time line for the execution 2. τ1 becomes ready to run and preempts of task ƒÑ3. Since ƒÑ1 and ƒÑ2 must execute at least τ3. Next, τ1 tries to enter its critical once before ƒÑ3 can begin executing, the comple- section by first trying trying to lock S. tion time of v3 can be no less than 118. But S is already locked and hence ƒÑ1

t0=C1+C2+C3=20+30+68=118 is blocked and moved from ready queue

However, ƒÑ1 is initiated one additional time in to the semaphore queue. the interval (0, 118). Taking this additional ex- 3. τ2 becomes ready to run. Since only ecution into consideration, W3(118)=138. τ2 and τ3 are ready to run, τ2 preempts

t1=W3(t0)=2C1+C2+C3=40+30+68=138 τ3 while τ3 is in its critical section.

We find that W3(138)=138 and thus the mini- We would prefer that, ƒÑ1 being the highest mum time at which W3(t1)=t1=138. This is the priority task, be blocked no longer than the completion time of ƒÑ3. Therefore ƒÑ3 completes its time for ƒÑ3 to complete its critical section. first execution at time 138 and meets its deadline However, the duration of blocking is, in fact, of 150. unpredictable. This is because ƒÑ3 can be pre-

W3(t1)=2C1+C2+C3=40+30+68=138=t1 empted by the medium priority task ƒÑ2. As

Hence the completion time test determines that a result, task ƒÑ1 will be blocked until ƒÑ2 and

τ3 is schedulable even though the test of Theorem any other pending tasks of intermediate pri-

1 fails. ority are completed. The duration of prior-

3.2 Task Synchronization ity inversion becomes a function of task ex-

In the previous sections we have discussed ecution times and is not bounded by the dura- scheduling of independent tasks. Tasks, however, tion of critical sections. do interact. In this section, we discuss how The priority inversion problem can be control- GRMS can be applied to real-time tasks that must led by a priority ceiling protocol. The priority interact. Common synchronization primitives in- ceiling protocol is a real-time synchronization clude semaphores, locks, monitors, and Ada ren- protocol with two important properties19). dezvous. Although the use of these or equivalent Theorem 3: The priority ceiling protocol pre- methods is necessary to protect consistency of vents mutual locks between tasks. In addition, shared data or to guarantee the proper use of under the priority ceiling protocol, a task nonpreemptable resources, their use may jeopard- can be blocked by lower priority tasks at ize the system's ability to meet its timing require- most once. ments. In fact, a direct application of these syn- The protocol works as follows. We define the chronization mechanisms may lead to an indefinite priority ceiling of a binary semaphore S to be period of priority inversion, which occurs when the highest priority of all tasks that may lock S. L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory 749

When a task ƒÑ attempts to execute one of its criti- execution. Note that ƒÑ1 is blocked outside cal sections, it will be suspended unless its priority its critical section. As ƒÑ1 is not given the is higher than the priority ceilings of all sema- lock on S1 but suspended instead, the poten- phores currently locked by tasks other than ƒÑ. tial deadlock involving ƒÑ1 and ƒÑ2 is provented-

If task ƒÑ is unable to enter its critical section for Once ƒÑ2 exits its critical section, it will return this reason, the task that holds the lock on the to its assigned priority and immediately by semaphore with the highest priority ceiling is preempted by task ƒÑ1. From this point on, said to be blocking ƒÑ and hence inherits the pri- τ1 will execute to completion, and then τ2 ority of ƒÑ. As long as a task ƒÑ is not attempting will resume its execution until its completion. to enter one of its critical sections, it will pre- There is a simplified implementation of the empt every task that has a lower priority. The priority ceiling protocol called the priority ceil- following example illustrates the deadlock avoid- ing emulation20). In this approach, once a task ance property of the priority ceiling protocol. locks a semaphore, its priority is immediately

Example 4: Suppose that we have two tasks raised to the level of the priority ceiling. The

τ1 and τ2 (see Fig. 4). In addition, there are avoidance of deadlock and block-at-most once

two shared data structures protected by bina- result still hold, provided that the following re-

ry semaphores S1 and S2 respectively. Sup- striction is observed: a task cannot suspend its

pose task ƒÑ1 locks the semaphores in the order execution within the critical section(3). The pri-

S1, S2, while ƒÑ2 locks them in the reverse ority ceiling protocol has been extended to deal

order. Further, assume that ƒÑ1 has a higher with dynamic deadline scheduling4) and mixed

priority than ƒÑ2. Since both ƒÑ1 and ƒÑ2 use dynamic and static priority scheduling3).

semaphores S1 and S2, the priority ceilings of The schedulability impact of task synchroniza-

both semaphores are equal to the priority of tion can be assessed as follows. Let Bi be the

task ƒÑ1. Suppose that at time to, ƒÑ2 begins duration in which task ƒÑ1 is blocked by lower

execution and then locks semaphore S2. At priority tasks. The effect of this blocking can be

time t1, task ƒÑ1 is initiated and preempts task modeled as though task ƒÑi's utilization is increased

τ2, and at time t2, task τ1 tries to enter its by an amount Bi/Ti.

critical section by attempting to lock sema- Sometimes, a task ƒÑi's deadline, Di, is before

phore S1. However, the priority of ƒÑ1 is not the end of period. Theorem 1 was generalized

higher than the priority ceiling of locked to accommodate an earlier deadline. Let ƒ¢i=

semaphore S2. Hence, task ƒÑ1 must be sus- (Di/Ti)12)

pended without locking S1. Task ƒÑ2 now in- Theorem 4: A set of n periodic tasks sched- herits the priority of task ƒÑ1 and resumes uled by the rate monotonic algorithm will always meet its deadlines, for all task phas- ings, if

τ1: …P(S1)…P(S2)…V(S2)…V(S1)… ∀i, 1≦i≦n, τ2: …P(S2)…P(S1)…V(S1)…V(S2)…

C1/T1+C2/T2+ …+Ci/Ti≦U(Δ i).

where U (Δi)

i((2Δi)1/i-1)+1-Δi, 0.5≦ Δi≦1 = Δi, 0≦ Δi≦0.5

The completion time test can be directly used in the case when deadlines are shorter than end of period, with no modification. To ac-

(3) The full implementation permits tasks to Fig. 4 Example of deadlock prevention suspend within a critical section. 750 1992年7月計測と制御第31巻第7号

Lommodate blocking, we can simply add the block- trol processor should be no more than 785. The ing to the execution time of the task. control processor also has additional periodic and

So far, the task priority assignment follows aperiodic tasks which must be scheduled. The

the rate monotonic priority assignment. That is, tracking and control processors send status in- the shorter the period, the higher is the priority. formation across the network to a user interface

Note that this is a special case of giving tasks node and receive commands periodically. with narrower windows higher priorities, since Let the task set on the control processor be

the period is the window for completion when specified as given below:

the deadline is at the end of the period. ● Aperiodic event handling with an average

Sometimes, tasks may have deadlines earlier than execution time of 10 and an average interar- the end of periods. In generalized rate monotonic rival time of 100. We create a sporadic

scheduling, tasks with narrower windows to server task as follows: Task ƒÑ1: C1=20;

complete is given higher priority. Leung and T1=100;

Whitehead15) called this generalized method as ● Aperiodic task for handling local feedback

deadline monotonic algorithm. They showed that control with a computation requirement and

this generalized method is optimal for independent a given period, Task ƒÑ2: C2= 78; T2=150;

tasks with completion time windows less than ● A periodic task that utilizes the tracking

or equal to the periods. The use of deadline information received. Again the computa-

monotonic priority assignment will be illustrated tion time and period are given. Task ƒÑ3:

in Section 4. C3=30; T3=160;

● Aperiodic task responsible for reporting 4. Example Application status across the network with a given

In this section we describe an application of computation time and period. Task ƒÑ4: C4 =10; T4=300; the preceding theory to a concrete example. Con-

sider the system in Fig. 1. We assume that the Tasks ƒÑ1 and ƒÑ2 are in one allocation unit and

priority ceiling protocol is used for task synchro- Tasks ƒÑ3 and ƒÑ4 are in another unit. Note that

nization. We further assume that we use a pri- the scheduling of tasks in a processor is inde-

oritized backplane such as the IEEE Futurebus+, pendent of allocation units.

a coherent dual link network as described in23). 4.1 Assigning Message and Task Deadlines

Scheduling messages across a coherent dual link When a message is sent within a processor, it

network is identical to a multiprocessor backplane can be implemented by passing a message pointer

except for an additional network delay. to the receiving task and hence can be treated

Let the characteristics of the application be as as any other OS overhead. However, when a

follows. The unit of time in this example is mil- message is sent outside the processor boundary,

liseconds. Referring to Fig. 1, the sensor takes an integrated approach to assign message and

an observation every 40. To reduce unnecessary task deadlines needs to be developed. Consider

bus traffic the signal processing task processes the situation in Fig. 1.

the signal and averages it every 4 cycles before ● The sensor takes an observation every 40.

sending it to the tracking processor. The track- ● The signal processing task processes the

ing processor has a task with a period of 160. signal and every 4 cycles it averages the

After the task executes it sends the result to the result and sends it to the tracking processor

control processor. Task ƒÑ3 on the control pro- every 160.

cessor that uses the tracking information has a ● The tracking processor task executes with

computation requirement of 30 and a period of aperiod of 160. It then sends a message

160. In addition, the end-to-end latency of the to the control processor

● Task τ3 on the control processor that uses pipeline of data flow from the sensor to the con- L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory 751

the tracking information has a computa- deadline of 145. We check whether or not ƒÑ3

tional requirement of 30. and period of 160 completes within 145 under rate monotonic prior-

as given above. Recall that the end-to-end ity assignment. Under rate monotonic assignment

latency for the control processor to respond the completion of ƒÑ3 is:

to a new observation by the sensor needs t0=C1+C2+C3=20+78+30=128

to be less than 785. t1=W3(t0)=2C1+C2+C3=40+78+30=148

The steps involved in integrated priority as- W3(t1)=2C1+C2+C3=148=t1 signment are as follows: First we try to use the Therefore the completion time of ƒÑ3 is 148. In rate monotonic priority assignment. Since rate order to meet the deadline of 145 imposed by the monotonic analysis guarantees end-of-period dead- maximum allowable latency requirement of the lines, we assume that the end-to-end delay is the previous section, we use the deadline monotonic sum of the period for each resource. Since the priority assignment. This makes task ƒÑ3's prior- signal processor averages four cycles, each 40 ity higher than that of task ƒÑ2, which has an end- long, its delay is up to 160. Each of the other of-period deadline of 150. resources has a delay up to one period which is The schedulability of each task can be checked

160. That is, the total delay using rate monotonic as follows: scheduling is bound by 4*40+160+160+160+160 Task ƒÑ1 can be blocked by lower priority tasks

=800. If it were less than the allowable delay for 10, i.e B1=10. The schedulability test for then rate monotonic priority assignment could be task ƒÑ1 is a direct application of Theorem 4. used for all the resources. B1/T1 C1 =0.2+0.1=0.3≦1(21/1-1)=1 .0 However the specified maximum allowable la- / T1+

tency is 785. Hence we may need to use deadline The sporadic server task ƒÑ1 is schedulable. The monotonic scheduling for at least some of the re- average response time for aperiodic events handled

sources in the path. From a software engineer- by ƒÑ1 can be calculated as follows: The server

ing viewpoint, it is advisable to give a full period capacity is 20% (20/100) and the average aperiodic

delay for global resources such as the bus or the workload is 10% (10/100). Referring back to the network since their workload is more susceptible ticket box analogy of Example 1, because most of

to frequent changes. Since there are two bus the aperiodic arrivals can find •gtickets,•h we would

transfers involved we attempt to assign a full expect a good response time. Indeed, using a

period to each. We also attempt to assign a full M/M/110) approximation for the lightly loaded period to the signal and tracking processors. server, the expected response time for the aperiod-

Hence the required completion time of the control ics is W=E[S]/(1-ƒÏ)=10/(1-(0. 10/0.20))=20.

processor task ƒÑ3 should be no greater than 785- where E[S] is the average execution time of

4•~(160)=145. aperiodic tasks and ƒÏ is the average server uti-

4.2 Scheduling Tasks on the Control Processor lization.

In this section we apply the scheduling theory Task ƒÑ3 is the second highest priority task.

to the control processor tasks. Let tasks ƒÑ1, ƒÑ2 Since ƒÑ3 has a deadline shorter than its period,

and ƒÑ3 share several data structures guarded by the schedulability test for ƒÑ3 can be checked as

semaphores S1, S2 and S3. Suppose the duration given in Theorem 4. Here ƒ¢3=(D3/T3)=145/150

of critical sections accessing shared data structures =0 .967. Also, in the schedulability test of τ3,

are bounded by 10. Suppose the priority ceiling the utilization of task τ2 does not appear, since

protocol is used. Then by Theorem 3 higher τ2 has a lower priority and does not preempt τ3.

priority tasks are blocked at most once for 10 by Because of τ2 has a lower priority its critical

lower priority tasks. section can delay τ3 by 10. Therefore B3=10.

The task set on the control processor, is as de- C1/T1+C3/T3+B3/T3 =0.2+0.188+0.0625 scribed earlier with task ƒÑ3 modified to have a 752 1992年7月計測と制御第31巻第7号

=0.4505≦2((2Δ3)1/2-1)=0 .781 must have an adequate number of priority levels

Now consider the third highest priority task ƒÑ2. that can be assigned to tasks, and must be free

From the view point of the rate monotonic assign- from pitfalls that lead to unbounded priority in- ment, the deadline monotonic assignment is a version. Tf the system needs to use a wide area “priority inversion” . Therefore in the schedu- network such as a slotted dual link fiber optic lability test for task ƒÑ2, the effect of blocking has network, we need to be concerned about system to include ƒÑ3's execution time. The blocking time coherence issues due to distributed scheduling of is B2=C3+0. The zero indicates that there can shared resources. be no lower priority task blocking ƒÑ2. 5.1 Number of Priority Levels

C1/ The number of priority levels that can be sup- +C2/T2+B2/T2=0.2+0.52+0.2 T1 ported in software by an operating system is es- =0.92>2(21/2-1)=0.828 sentially unlimited. In contrast, the number of

The schedulability test of Theorem 4 fails for priority levels that can be supported by hardware τ2. The schedulability of τ4 can be checked by on a backplane and network is limited and there- the following simp;e test since there is neither fore is an important design consideration. A blocking or deadline before its end of period. smaller number of priority levels than required

C1/ by the rate monotonic assignment rule results in +C2/T2+C3/T3+C4/T4=0.2+0.52+0.188+0.033 T1 a potential loss in system schedulability. =0.941>4(21/4-1)=0.757 Fig. 5 plots schedulability as a function of prior-

Note that the schedulability test of Theorem 4 ity bits, relative to schedulability with as many fails for both tasks ƒÑ2 and ƒÑ4. To determine their priority levels as needed21). As can be seen, the schedulability we use the completion time test. schedulability loss is negligible with 8 encoded

Since ƒÑ1 and ƒÑ3 must execute at least once before priority bits, which corresponds to 256 priority

τ2 can begin executing, the completion time of τ2 levels. In other words, the worst-case schedu- can be no less than 128. lablility obtained with 8 priority bits is close to

t0=C1+C2+B2=20+78+30=128 that obtained with an unlimited number of prior-

However, ƒÑ1 is initiated one additional time in ity levels. In many older computer backplane the interval (0, 128). Taking this additional ex- buses, in addition to the lack of an adequate num- ecution into consideration, W2(128)=148. ber of priority levels, a board is given a fixed t1=W2(t0)=2C1+C2+B2=40+78+30=148 priority level. As a result, a processor cannot

Finally, we find that W2(148)=148 and thus the access the bus according to the priority of tasks minimum time at which W2(t)=t is 148. This is or messages. Fortunately, both these problems the completion time for ƒÑ2. Therefore ƒÑ2 com- are solved recent bus standard such as the IEEE Futurebus+, whose real-time computing option pletes its first execution at time 148 and meets its deadline of 150. directly supports the use of GRMS21). W2(t1)=2C1+C2+B2=40+78+30=148=t1

Similarly we can check the schedulability of task ƒÑ4 using the completion time test. It turns out to be schedulable.

5. Scheduling Considerations in

Hardware Architecture

In this section, we examine important architectural support necessary for the use of generalized rate monotonic scheduling. Since GRMS is a Fig. 5 Relative Schedulability vs. The Number of priority based scheduling algorithm, the system Priority Bits L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalized Rate Monotonic Theory 753

5.2 Multi-processor Backplane Scheduling suspend its ongoing transaction at a logical bound- In addition to a sufficiently large number of ary and yield to the pending higher priority re-

priorities, it is necessary to have consistent treat- quest. This scheme is particularly useful in real- ment of priorities throughout the arbitration, mes- time systems when a long block transfer at low sage passing and DMA protocols. In order to priority can be preempted by a higher priority support the GRMS theory, a module must request transaction. The preempted transaction can re- the bus based on the priority of the task or mes- sume at a later time after a fresh request/grant sage that needs the bus. This means that the cycle. If no priority change requests are trans- same module may request the bus at many dif- mitted, subsequent requests will have the same ferent priorities under software control. The priority level as the last specified value from that IEEE Futurebus+ supports such a software con- module. This model allows each request from a trolled priority arbitration paradigm. Unfortu- module to have a different priority level, or all nately, most existing bus architectures statically requests from the same module to have the same bind a single priority to each module. priority level. Software controlled priority arbitration can be 5.3 Hardware Queues supported by either a distributed arbiter or a To support message passing over a communica- centralized arbiter21). In this paper we limit our- tion medium such as a backplane bus or a net- selves to a description of the centralized arbiter work, FIFO hardware queues are commonly used because it is easier to implement. Furthermore, for both transmission and reception. Hardware it can be easily used to override existing bus FIFO queues at the receiver are acceptable if the arbitration schemes. This maintains logical com- software empties the entire queue and re-orders

patibility with existing products for that bus, the messages in priority order before processing. while supporting real-time computations, such as In contrast, a short transmission priority queue multi-media applications. We now provide an can lead to unbounded priority inversion. For overview of the central arbiter. example, suppose the transmission priority queue In the central arbiter model, each module contact of node A connected to a backplane bus is filled the central arbitor via a request line, a grant with low priority messages. If node A wishes to line and a preemption line. Ideally 8 encoded transmit a high priority message, it cannot even priority bits can be used for real-time applica- enter the high priority message in its transmis- tions. The centralized arbiter has a priority re- sion queue since it is full. Also unbounded prio- gister for each module. A module that needs the rity inversion can occur because medium priority bus asserts the request line. The central arbiter messages from other nodes prevent the servicing grants the bus to the requesting module with the of node A's queue, indefinitely holding off node highest priority value in the corresponding pri- A's high priority message. ority register by asserting the module's grant A practical solution is the use of a short prio- line. The priority level of a module can be rity queue with priority overwrite to emulate an changed by communicating its priority via a sepa- ideal priority queue21t. When the transmission rate serial line. To minimize the number of lines, queue is full and a higher priority message waits one can use the request line as the serial line . at the host, the higher priority message overwrites In this case, whenever a module needs the bus, the lowest priority message in the queue. To it sends its 8 bit priority code over the request prevent the potential loss of this lower priority line. message, the host must preserve each message in If there is an active bus master and the central memory until it is successfully transmitted. The arbiter receives a higher priority request, the overwrite occurs at the tail of the queue and can arbiter asserts the preempt line on the current occur concurrently with transmission from the bus master. The module may then voluntarily head of the queue, thus incurring very little per- 754 1992年7月計測と制御第31巻第7号 formance penalty. work. If this rule is violated, new con- 5.4 Network Scheduling nections can disrupt existing connections With proper scheduling support, the scheduling unnecessarily. of a local area network can be similar to schedul- ● Minimized Priority Inversion. The pro- ing a computer backplane or a processor25'. The tocol ensures that a low priority connec- scheduling of a wide area network however, raises tion cannot use a slot released for a high new challenges. Indeed, scheduling in a wide priority connection. Furthermore, high area network is different from scheduling in a priority requests should not have to wait single CPU, or a multiprocessor backplane or for transmission of lower priority requests. even a local area network. In a high speed wide The coherency reservation protocol and the flow area network such as the IEEE 802.61), distributed control protocol were described and analyzed in scheduling decisions for the shared links must be detail in23). Under these two protocols, the fol- made concurrently with delayed/incomplete infor- lowing was shown23): mation. The observed unpredictable timing be- Theorem 5: Given a set of periodic connec- havior of the IEEE 802.6 protocol during heavy tions in a coherent dual link network, if the workload underscores such a challenge2). set of connections are schedulable by the rate In a dual link network, connections reserve monotonic algorithm in a centralized system, bandwidth on one link by making requests on the then the network is transmission schedulable. other link. A periodic connection has a message Transmission schedulable means that after an ini- consisting of a fixed number of packets to transmit tial propagation delay, each connection can send per period. The key to solving the distributed out a message by the end of each period. scheduling problem for dual link networks is the From an architectural viewpoint, the key ele- fundamental concept of system coherence23). In- ment is to provide hardware support for preempt- tuitively, coherence is a logical and orderly re- ing lower priority requests. As discussed in lationship between elements of a system. In the Section 5.1, 256 priority levels are ideal. However

context of dual link networks, the relationships providing one request bit for each priority level that make a system coherent are: freedom from would create excessive overhead. One approach unbounded priority inversion, consistency between to solve this problem is to provide an 8-bit encoded

queues of requests in stations and finally flow priority field that is preemptable. That is, each control. station can replace a lower priority request with A dual link network protocol that results in a its own higher priority request. This can be im-

coherent system has been analyzed in23). The plemented as shown in Fig. 6. The slot priority protocol ensures the following properties: from the link is passed through a single bit delay

● Consistency between station queues.

Queue consistency is defined as follows. If request R1 and request R2 both exist in queue Qa and queue Qb, and if R1 is ahead of R2 in Qa, then R1 must also be ahead of R2 in Qb. Inconsistent queues lead to unpredictable behavior.

● Flow control for each connection. First a network connection always transmits at its given rate. Second the connection delays transmission for a round- trip delay, so that its requests for band-

width are visible throughout the net- Fig. 6 Request Preemption Circuit L. SHA•ES.S. SATHAYE: Architectural Support for Real-Time Computing using Generalizized Rate Monotonic Theory 755 and compared bit by bit with the station priority Micro (1990) that is stored in the shift register. As long as 8) M.G. Harbour, M.H. Klein and J.P. Lehoczky: Fixed Priority Scheduling of Periodic Tasks with the priority bits match the output of the Exclusive- Varying Execution Priority, Proceedings of IEEE OR gate is zero and the link priority is output. Real-Time Systems Symposium (1991) 9) D. Kirk and J.K. Strosnider: SMART (Strategic As soon as the priority bits differ, the station Memory Allocation for Real-Time) Cache Design priority bits are output if it has a higher priority. Using MIPS R 3000, Proceedings of IEEE Real-Time Otherwise the link priority bits are continued to Systems Symposium (1990) 10) L. Kleinrock: Queueing Systems, 1, John Wiley be transmitted. Note that the logic assumes that and Sons (1975) the priority bits in the slot are received most 11) J.P. Lehoczky, L. Sha and J. Strosnider: Enhanc- significant bit first. The preempted request is ing Aperiodic Responsiveness in A Hard Real-Time Environment, IEEE Real-Time System Symposium inserted into the station's request queue in prior- (1987) ity order. 12) J.P. Lehoczky, L. Sha and Y. Ding: The Rate Monotonic Scheduling Algorithm-Exact Charac- 6. Conclusion terization and Average Case Behavior, Proceedings of IEEE Real-Time System Symposium (1989) The rate monotonic theory and its generaliza- 13) J.P. Lehoczky: Fixed Priority Scheduling of Peri- tions has been adopted by national high technolo- odic Task Sets with Arbitrary Deadlines, IEEE gy projects such as the Space Station and has Real-Time Systems Symposium (1990) 14) J.P. Lehoczky, L. Sha, J.K. Strosnider and H. recently been supported by major open standards Tokuda: Fixed Priority Scheduling Theory for such as the IEEE Futurebus+. In this paper, we Hard Real-Time Systems, Foundations of Real-Time have described the use of generalized rate mono- Computing: Scheduling and Resource Management, Kluwer Academic Publishers (1991) tonic scheduling theory for the design and analysis 15) J. Leung and J. Whitehead: On the Complexity of of a distributed real-time system. We have pro- Fixed-Priority Scheduling of Periodic, Real-Time vided an application example to illustrate the Tasks, Performance Evaluation, 2 (1982) 16) C.L. Liu and J.W. Layland: Scheduling Algo- assignment of message and task deadlines, task rithms for Multiprogramming in a Hard Real Time scheduling and message scheduling. We have de- Environment, JACM 20, 1, 46/61 (1973) 17) IEEE Standard P 1003.4 (Real-time extensions to scribed hardware architectural support such re- POSIX), IEEE, 345 East 47th St., New York, NY quired number of priority levels, the design of 10017 (1991) hardware queues, arbitration in multiprocessor 18) R. Rajkumar, L. Sha and J.P. Lehoczky: Real-Time Synchronization Protocols for Multiprocessors, In backplanes and network scheduling. Proceedings of the Real-Time System Symposium, (Reseived March 11, 1992) 259/269, IEEE, Huntsville, AL (1988) 19) L. Sha, R. Rajkumar and J.P. Lehoczky: Priority References Inheritance Protocols: An Approach to Real-Time 1) IEEE 802.6 Distributed Queue Dual Bus-Metro- Synchronization, IEEE Transaction On Computers politan Area Network-Draft Standard-Version P 802. (1990) 6/D15 (1990) 20) L. Sha and J.B. Goodenough: Real-Time Schedul- 2) H.R. Van As, J.W. Wong and P. Zafiropulo: Fair- ing Theory and Ada, IEEE Computer (1990) ness, Priority and Predictability of the DQDB MAC 21) L. Sha, R. Rajkumar and J. Lehoczky: Real-Time Protocol under Heavy Load, Proceedings of the In- Applications Using IEEE Futurebus+, IEEE Micro ternational Zurich Seminar, 410/417 (1990) (1990) 3) T. Baker: Stack-Based Scheduling of Realtime Pro- 22) L. Sha, M. Klein and J. Goodenough: Rate Mono- cesses, Journal of Real-Time Systems, 3-1, 67/100 tonic Analysis for Real-Time Systems, Foundations (1991) of Real-Time Computing: Scheduling and Resource 4) M. Chen and K J. Lin: Dynamic Priority Ceilings: Management, Kluwer Academic Publishers (1991) A Concurrency Control Protocol for Real-time Sys- 23) L. Sha, S. Sathaye and J.K. Strosnider: Analysis tems, Journal of Real-Time Systems, 2-4, 325/346 of Reservation Based Dual Link Networks for (1990) Real-Time Applications, Technical Report, Software 5) ESA: Statement of Work, Hard Real-Time OS Engineering Institute (1992) Kernel, On-Board Data Division, European Space 24) B. Sprunt, L. Sha and J.P. Lehoczky: Aperiodic Agency (1990) Task Scheduling for Hard Real-Time Systems, The 6) Futurebus P 896. 1, 2, 3 Specifications, IEEE, 345 East Journal of Real-Time Systems, 1, 27/60 (1989) 47th St., New York, NY 10017, 1991, P 896 Working 25) J.K. Strosnider and T.E. Marchok: Responsive, Group of the Microprocessor Standards Committee. Deterministic IEEE 802.5 Token Ring Scheduling, 7) J.D. Gafford: Rate Monotonic Scheduling. IEEE Journal of Real-Time Systems, 1, 133/158 (1989) 756 1992年7月計測と制御第31巻第7号

[著者紹介]

Lai SHA君 Shirish S. SATHAYE君

Dr. Lui Sha is a senior member of Shirish Sathaye received the B. Tech the technical staff of Software Engine- degree in Electronics Engineering ering Institute, CMU and is a Senior from the Institute of Technology, Member of the IEEE. He was the co- B.H.U in 1984 and the M.S degreee- chairman of the 1988 IEEE and in Electrical Engineering from Vir- USENIX workship on Real-Time Soft- ginia Polytechnic Institute and State ware and Operating Systems, the Vice University in 1986. Since then he has Chairman of the 10th International Conference on been with Digital Equipment Corporation, and is cur- Distributed Computing Systems in 1990, and was the rently a Principal Engineer in their Distributed Sys- Program Chair of IEEE Real-Time System Symposium tems Architecture Group. in 1991. He chaired the Real-Time Task Group of the He is currently a Ph. D candidate at Carnegie Mel- IEEE Futurebus+ and serves as the Chairman of the lon University. His research interests include, High- Technical Advisory Board for the Research Institute speed Network Architectures and Protocols, Real-Time of Computing Information Systems, a R & D Center Systems, Scheduling Theory, and Multimedia Systems. established by NASA and NASA JSC at UHCL. He is also an associated editor of The International Journal of Time-Critical Computing Systems. Dr. Sha received the BSEE degree from McGill Uni- versity in 1978, the MSEE degree and the PhD degree from Carnegie-Mellon University in 1979 and in 1985 respectively.