Real-time Systems Specification, Verification and Analysis Edited by Mathai Joseph Tata Research Development & Design Centre Revised version with corrections June 2001 Original edition published in 1996 by Prentice Hall International, London, under ISBN 0-13-455297-0 This version incorporates corrections to and changes from the original edition. This version is made available for research, teaching and personal use only. Copies may be made for non- commercial use only. Enquiries for other uses to the Editor ([email protected]). Contents Preface vii Contributors xii 1TimeandReal-time 1 MathaiJoseph Introduction 1 1.1 Real-timecomputing 2 1.2 Requirements,speci®cationandimplementation 3 1.3 Theminepump 5 1.4 Howtoreadthebook 11 1.5 Historicalbackground 12 1.6 Exercises 14 2FixedPriorityScheduling±ASimpleModel 15 MathaiJoseph Introduction 15 2.1 Computationalmodel 16 2.2 Staticscheduling 18 2.3 Schedulingwithpriorities 19 2.4 Simplemethodsofanalysis 20 2.5 Exactanalysis 24 2.6 Extendingtheanalysis 29 2.7 Historicalbackground 30 2.8 Exercises 31 iii iv CONTENTS 3 AdvancedFixedPriorityScheduling 32 AlanBurnsandAndyWellings Introduction 32 3.1 Computationalmodel 32 3.2 Advancedschedulinganalysis 38 3.3 IntroductiontoAda95 50 3.4 Theminepump 53 3.5 Historicalbackground 64 3.6 Furtherwork 64 3.7 Exercises 65 4DynamicPriorityScheduling 66 KrithiRamamritham Introduction 66 4.1 Programmingdynamicreal-timesystems 69 4.2 Issuesindynamicscheduling 75 4.3 Dynamicpriorityassignment 76 4.4 Dynamicbest-effortapproaches 80 4.5 Dynamicplanning-basedapproaches 83 4.6 Practicalconsiderationsindynamicscheduling 90 4.7 Historicalbackground 93 4.8 Furtherwork 94 4.9 Exercises 95 5AssertionalSpeci®cationandVeri®cation 97 JozefHooman Introduction 97 5.1 Basicframework 98 5.2 Theminepump 105 5.3 Communicationbetweenparallelcomponents 109 5.4 Paralleldecompositionofthesumpcontrol 114 5.5 Programminglanguage 122 5.6 Theminepumpexample:®nalimplementation 131 5.7 Furtherwork 136 5.8 Historicalbackground 138 5.9 Exercises 141 CONTENTS v 6Speci®cationandVeri®cationinTimedCSP 147 SteveSchneider Introduction 147 6.1 Thelanguageofreal-timeCSP 147 6.2 Observationsandprocesses 156 6.3 Speci®cation 162 6.4 Veri®cation 164 6.5 Casestudy:theminepump 169 6.6 Historicalbackground 178 6.7 Exercises 180 7Speci®cationandVeri®cationinDC 182 ZhimingLiu Introduction 182 7.1 Modellingreal-timesystems 182 7.2 Requirements 184 7.3 Assumptions 188 7.4 Design 189 7.5 Thebasicdurationcalculus(DC) 191 7.6 Theminepump 198 7.7 Speci®cationofschedulingpolicies 202 7.8 Probabilisticdurationcalculus(PDC) 205 7.9 Historicalbackground 224 7.10Furtherwork 225 7.11Exercises 227 8Real-timeSystemsandFault-tolerance 229 HenkSchepers Introduction 229 8.1 Assertionsandcorrectnessformulae 230 8.2 Formalizingafailurehypothesis 232 8.3 Aproofruleforfailureproneprocesses 234 8.4 Reliabilityoftheminepump 236 8.5 Soundnessandcompletenessofthenewproofrule 250 8.6 Historicalbackground 254 8.7 Exercises 256 References 259 Index 272 Preface The®eldofreal-timesystemshasnottraditionallybeenhospitabletonewcomers:onthe onehandthereareexpertswhoseemtorelyonexperienceandafewspecializeddocu- mentsand,ontheother,thereisavastandgrowingcatalogueoftechnicalpapers.There areveryfewtextbooksandthemostsuccessfulpublicationsareprobablycollectionsof pastpaperscarefullyselectedtocoverdifferentviewsofthe®eld.Asinteresthasgrown, sohasthecommunity,andthemorerecentpapersarespreadoveralargerangeofpub- lications.Thismakesitparticularlydif®culttokeepintouchwithallthenewdevelop- ments. Ifthisisdistressingtothenewcomer,itisofnolessconcerntoanyonewhohasto teachacourseonreal-timesystems:onehasonlytomovealittlebeyondpurelytechnical concernstonoticehowquicklytheteachablematerialseemstodisappearinacloudof opinionsandarangeofpossibilities.Itisnotthatthe®eldlacksintellectualchallenges orthatthereisnotenoughforastudenttolearn.Onthecontrary,theproblemseemstobe aquestionofwheretostart,howtorelatepracticaltechniqueswithmethodsofanalysis, analyticalresultswiththeoriesand,morecrucially,howtodecideontheobjectivesofa course. Thisbookprovidesadetailedaccountofthreemajoraspectsofreal-timesystems: programstructuresforreal-time,timinganalysisusingschedulingtheoryandspeci®ca- tionandveri®cationindifferentframeworks.Eachchapterfocusesonaparticulartech- nique:takentogether,theygiveafairlycomprehensiveaccountoftheformalstudyof real-timesystemsanddemonstratetheeffectivenessandapplicabilityofmathematically basedmethodsforreal-timesystemdesign.Thebookshouldbeofinteresttocomputer scientists,engineersandpracticalsystemdesignersasitdemonstratesalsohowthesenew methodscanbeusedtosolverealproblems. Chaptershavedifferentauthorsandeachfocusesonaparticulartopic,butthematerial hasbeenwrittenandeditedsothatthereadershouldnoticenoabruptchangeswhenmov- ingfromonechaptertoanother.Chaptersarelinkedwithcross-referencesandthrough theirdescriptionandanalysisofacommonexample:theminepump(Burns&Lister, 1991;Mahony&Hayes,1992).Thisallowsthereadertocomparetheadvantagesand vii viii PREFACE limitationsofdifferenttechniques.Thereareanumberofsmallexamplesinthetextto illustratethetheoryandeachchapterendswithasetofexercises. TheideaforthebookcameoriginallyfrommaterialusedfortheM.Sc.moduleon real-timesystemsattheUniversityofWarwick.Thismodulehasnowbeentaughtby severaloftheauthorsoverthelastthreeyearsandhasbeenattendedbybothstudents andvisitingparticipants.However,itwasplannedthatthebookwouldcontainamore comprehensivetreatmentofthematerialthanmightbeusedinasinglecourse.Thisal- lowsteacherstodrawselectivelyonthematerial,leavingsomepartsoutandothersas furtherreadingforstudents.SomepossiblecourseselectionsareoutlinedinChapter1 butmanymorearepossibleandthechoicewillbegovernedbythenatureofthecourse andtheinterestsandpreparationofthestudents.Partofthematerialhasbeentaughtby theauthorsinadvancedundergraduatecoursesincomputerscience,computerengineer- ingandrelateddisciplines;selectionshavealsobeenusedinseveraldifferentpostgrad- uatecoursesandinshortcoursesforindustrialgroups.Sothematerialhasbeenused successfullyformanydifferentaudiences. Thebookdrawsheavilyonrecentresearchandcanalsoserveasasourcebookfor thosedoingresearchandforprofessionalsinindustrywhowishtousethesetechniques intheirwork.Theauthorshavemanyyearsofresearchexperienceintheareasoftheir chaptersandthebookcontainsmaterialwithamaturityanddepththatwouldbedif®cult forasingleauthortoachieve,certainlyonashorttime-scale. Acknowledgements Eachchapterhasbeenreviewedbyanotherauthorandthencheckedandre-draftedbythe editortomakethestyleofpresentationuniform.Thisprocedurehasrequiredagreatdeal ofcooperationandunderstandingfromtheauthors,forwhichtheeditorismostgrateful. Despitecarefulscrutiny,therewillcertainlybeinexcusableerrorslurkingincornersand wewouldbeverygladtobeinformedofanythatarediscovered. Weareverygratefultothereviewersforcommentsonthedraftandforprovidingus withtheinitialresponsestothebook.AndersRavnreadcriticallythroughthewhole manuscriptandsentmanyusefulandacuteobservationsandcorrections.MatthewWa- habpointedoutanumberofinconsistenciesandsuggestedseveralimprovements.We arealsogladtoacknowledgethecooperationofearlier`minepump'authors,Andrew Lister,BrendanMahonyandIanHayes. Inaddition,particularthanksareduetomanyotherpeoplefortheircommentsondif- ferentchapters. Chapters1,2:TomaszJanowskimadeseveralusefulcomments,asdidstudentsof theM.Sc.moduleonreal-timesystemsandtheWarwickundergraduatecourse,Veri®ca- tionandValidation.SteveSchneider'sspeci®cationinZoftheminepumpwasauseful templateduringthedevelopmentofthespeci®cationinChapter1. Chapter4:GerhardFohler,SwamyKuttiandArcotSowmyacommentedonanearlier draft.Thanksarealsoduetothepresentandpastmembersofthereal-timegroupatthe UniversityofMassachusetts. Chapter5:JanVittreadthroughthechaptercarefullyandmadeseveralsuggestions PREFACE ix forimprovement. Chapter6:JimDavies,BrunoDutertre,GavinLowe,PaulMukherjee,JustinPearson, KenWoodandmembersoftheESPRITBasicResearchActionCONCUR2provided commentsatvariousstagesofthework. Chapter7:ZhouChaochenwasasourceofencouragementandadviceduringthewrit- ingofthischapter. ThebookwasproducedusingLATEX2e,aidedbytheconsiderableingenuity,skilland perseveranceofStevenHaeck,withcriticaltipsfromJimDaviesandwithhelpatmany stagesfromJeffSmith. Finally,thebookowesagreatdealtoJackieHarborofPrenticeHallInternational,who pilotedtheprojectthroughfromitsstart,andtoAlisonStanford,whowasSeniorPro- ductionEditor.Theircombinedeffortsmadeitpossibleforthewriting,editingandre- viewingofthebooktobeinterleavedwithitsproductionsothatthewholeprocesscould becompletedin10months. TheSerieseditor,TonyHoare,encouragedustostartthebookandpersuadedusnot tobedauntedbythetaskofeditingitintoacohesivetext.Allofus,editorandauthors, oweagreatdealforthissupport. DepartmentofComputerScience MathaiJoseph UniversityofWarwick Preface to Revised Edition In the five years that have passed since the original edition of the book was published, the field of real-time systems has grown at a breathtaking rate. Most notably, embedded systems have become a separate field of study from other real-time control systems and applications of embedded systems have spread from the original domain of machinery and transportation to hand- held devices, like organizers, personal digital assistants and mobile telephones. Along with this, the nature of the problems to be faced has also changed. Reliability, usability and adaptability are now added to the factors that must be studied and analyzed when designing a real-time embedded system. And with widespread personal use taking place, it is not just usability but also reliability