Optimization of Static Task and Bus Access Schedules for Time-Triggered Distributed Embedded Systems with Model-Checking Zonghua Gu, Xiuqiang He and Mingxuan Yuan HongKong University of Science and Technology 1.1
Time-Triggered Protocol (TTP) Widely used in safety-critical distributed systems Runtime Predictability Low Overhead Multiple CPU nodes connected by a TDMA bus. Bus schedule is divided into fixed-length time slots, Each CPU node is assigned a time slot to transmit messages. Messages are delivered to their destination CPU nodes at the end of the time slot, regardless of their exact arrival times. … CPU0CPU2 … CPU0CPU1 CPU2 Round 1Round 2
TTP-based Execution Platform TTP-Bus CPU0CPU1 … … CPU0CPU1 CPU0 CPU1 T1 T3 TTP Controller T2 RT-Kernel m2 m1 RT-Kernel m2 CPU0 T1 T2 m2 T3 m1 E1 E2E3 CPU0 CPU1
Problem Definition Schedule a task graph on a TTP-based execution platform to minimize the total schedule length by finding: Task-to-CPU assignments; Bus access schedule time slot-to-CPU assignment & time slot length Task and message start times; s.t all precedence and mutual exclusion constraints are satisfied Previous work relied on heuristic techniques to obtain near-optimal schedule We use model-checking to find probably optimal solutions
Tasks assigned to CPU0 Tasks assigned to CPU1 T0(20) T2(40)T1(10) T3(10) T4(20) m0(5) m1(5) m2(5) CPU0CPU1 T0 m T2T1 m1 T3 m2 T4 110 TTP Controller An Example
Background & Motivation Change the sequences of slots 95 T0T0 T2T2 T3T3 M0M T1T1 T4T4 M2 90 Bus CPU0 CPU1 (2) T0T0 T3T3 M0M T1T1 T4T4 M2 Bus CPU0 CPU1 T 21 T (3) 110 T0T0 T2T2 T3T3 M0M T1T1 T4T4 M2 90 Bus CPU0 CPU1 (1) Preemptive & release offset The schedule Optimal!
Definitions Task Graph Tasks with precedence relationships. Each edge represents a message between two tasks. Remote message: Sender and receiver tasks are on different CPUs. Local message: Sender and receiver tasks are on the same CPU. T0T1T3T4 m0(5) remote messagelocal message
Definitions (cont.) Work-Conserving Schedule A schedule is work-conserving if the CPU is never left idle when there are one or more tasks waiting for execution Anchor point: A time instance when either a task finishes execution( ) or the bus switches to the next time slot ( ) New events happen at anchor points. M0M M
Definitions (cont.) Initial & Non-Initial tasks Initial tasks: tasks without any predecessor tasks T0 Non-initial tasks: tasks with one or more predecessor tasks T1, T2, T3, T4 T0 T2T1 T3 T4
Two Theorems Theorem1: Every static preemptive scheduling problem has a solution of an optimal work-conserving schedule Theorem2: To find the shortest static schedule, we only need to try the anchor points as possible start times for non-initial tasks and messages, not the time instants in-between anchor points They are used to reduce the search space.
Two Theorems (cont.) Proof of Theorem 2 Constructive Proof (details omitted): Transformation results in equal or shorter schedule length. 110 CPU0 T0T0 T3T3 T4T4 M0M T1T1 M2 90 Bus CPU1 105 starts at non-anchor-point T2T2
The SPIN Model-Checker SPIN Explicit-state, on-the-fly model checker. Modeling Language Promela. Property Specification Language: Linear Temporal Logic (LTL)
Modeling Tasks with SPIN A task is modeled as a FSM with 3 states (IDLE, RUNNING, DONE) for non-preemptive scheduling or 4 states (IDLE, RUNNING, PREEMPTED, DONE) for preemptive scheduling Each state transition represents one clock tick
Model-Checking for Static Scheduling time is incremented until all tasks finish execution Check the reachability property <>time>=lb from the initial state, all possible execution paths eventually lead to a state where time>= lb. P1:<>time>=7 is true P2:<>time>=8 is false 7 is the shortest schedule length Counter-example trace of P2 is the schedule Automate this search process with branch-and-bound based on embedded C code in Promela (Ruys 2003) Initial State time=8 time=9 time=13 time=7 time=9 time=25
SPIN Basics Operator : Process: The process blocks if Condition1 is false Condition1 Statement1 example: run foo(100, 200, 0); declaration: proctype foo(int x, y; bit b){…} activation: The timeout key word. Timeout-guarded statements become executable if no other statement is executable Not a real-time concept Used to escape from deadlocks.
SPIN Model Overview Three process types: Advance: maintains the global time variable. Using Variable Time Advance to skip uneventful time instants Task: models a real-time task on CPU. Bus: models the bus access schedule.
Advance Process ( Non-Work-Conserving ) TimeAdvanceGuard defines the conditions guarding global time advance Get the time interval, minstep, to the earliest task finish time from the current time, time If the bus next slot start time is earlier, minstep will be changed Advance to the next earliest anchor point
Advance Process ( Work-Conserving ) Replace TimeAdvanceGuard by timeout Search space is reduced For preemptive scheduling: Optimality is not sacrificed (Theorem 1) For non-preemptive scheduling: Reduces the state space by removing non-deterministic delays Tradeoff between optimality and scalability
Task Process (Non-Preemptive) Precedence relation (for task 1): 01 Task[0].state==DONE 01 m0 Msg[0].state==ARRIVED Start to execute If multiple ready tasks are waiting for CPU, only one can start. SPIN will try all possibilities Finish execution Send message
Task Process (Non-Preemptive) cont. Handling the messages. Message queue of CPU i A message sent from task i to task j is a remote message that is transmitted on the bus A remote message is put into the message queue of CPU i, which will be processed later by the BUS Process Each CPU maintains a message queue!
A new task i ready at time can preempt the current running task, activeTask, by setting finTime of activeTask. Task Process (Preemptive) Condition time==Tasks[i].finTime forces the activeTask to be preempted and release the CPU. Task i starts to execute, and sets its finTime to (time + remaining execution time) Task i may be preempted during its execution; it finishes when Tasks[i].etsofar=Tasks[t].et
Bus Process Time to switch time slot Check whether there is enough time in the last time slot to transmit all or some of the messages in the buffer of CPU cpuID; mark the messages ARRIVED if they can be transmitted. Switch to the next time slot
Init Process Initializes: Sequence and lengths of the time slots. Initial task release offset. Use non-determinism to force SPIN to try all values between lower bound and upper bound:
Monitor Process All tasks have finished. Record the minimal schedule length and save the execution trace as the schedule.
Experiment Setup Linux computer with AMD Opteron 844(1.8GHZ) CPU, 8GB RAM. Static Schedules H: heuristic algorithm used in Eles et al TVLSI 00 A: model-checking with non-preemptive, work-conserving scheduling, given initial task release offset of 0 B: model-checking with non-preemptive, non work-conserving scheduling, given initial task release offset of 0. C: model-checking with preemptive, work-conserving scheduling, trying all possible initial task release offsets.
Evaluation Results Italic: results obtained with non-exhaustive search with bit-state hashing NT: Number of TasksSL: Schedule Length RT: Running time (s)Mem: Memory Size (MB)
Related Work Eles et al TVLSI 00 Heuristic list scheduling algorithms for finding near-optimal bus access schedules. Pop et al TVLSI 04 Minimizing system modification cost in an incremental design methodology by aggregating unused time slots in the bus schedule to accommodate addition of new functionality during system evolution. Possible future work. Geilen et al DAC 05 Used SPIN to find the optimal actor firing sequence that minimizes buffer size requirement of a Synchronous Dataflow (SDF) graph. T Not a real-time scheduling problem. Brinksma et al STTT 02 Used SPIN to derive the optimal schedule for an experimental chemical plant. Ruys et al SPIN 03 Used SPIN to solve the job-shop scheduling problem for a smart-card personalization machine. Cofer et al EMSOFT 02 Used SPIN to verify the time partitioning properties of an avionics real-time operating system
Conclusions Model-checking is useful, but not meant to replace other optimization algorithms due to scalability issues SPIN is an explicit-state, on-the fly model-checker, suitable for bug-hunting, but may not very suitable for solving real-time scheduling problems. Other techniques, such as symbolic model-checking with BDD, bounded model-checking with SAT, may have better scalability.
Q & Thank you for your time!