monitoring of workload arrival functions for mixed ... · platzhalter für bild, bild auf...
Post on 12-Jun-2020
21 Views
Preview:
TRANSCRIPT
Platzhalter für Bild, Bild auf Titelfolie hinter das Logo einsetzen
Moritz Neukirchner, Philip Axer, Tobias Michaels, Rolf Ernst
Monitoring of Workload Arrival Functions for
Mixed-Criticality Systems
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 2
Requirement of Safety Standard IEC61508
What is
sufficient independence
?
IEC61508:
“For a […] system that implements […] functions of different safety […]
levels, unless it can be shown there is sufficient independence […], the
requirements applicable to the highest relevant safety integrity level shall
apply […].”
IEC61508:
“the probability of a dependent failure between the non-safety
related and safety-related parts is sufficiently low”
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 3
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Tasks of different
safety-criticality
• Specification of activation
pattern and WCET
• Timing analysis yields
maximum interference from
low to high criticality
• For certification of τhc only the
cumulative interference of
higher priorities is relevant
• Interference from untrusted
(i.e. low criticality) tasks must
not exceed analysis bounds
→ Enforcement
ANALYSIS
𝑃, 𝐽
𝑃, 𝐽
𝑃, 𝐽 τhc
Interference
𝐶
𝐶
𝐶
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 4
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 5
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
This monitoring is overly restrictive
because the interference among low-criticality tasks is also
enforced.
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 6
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
Interference
• Over-enforces if low criticality tasks (typically) do not experience
worst-case simultaneously (e.g. uncorrelated sporadic tasks)
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 7
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 8
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 9
Modelling Arbitrary Activation Patterns
• Event-arrival functions specify the maximum number of events that
may occur in a time-interval of size 𝚫𝐭
• Workload-arrival functions (WAF) specify the maximum workload
that may be requested in a time-interval of size 𝚫𝐭
𝛼 (Δ𝑡)
Δ𝑡
1
2
3
4
5
20m
s
𝛼(Δ𝑡)
Δ𝑡
𝐶 *1
𝐶 *2
𝐶 *3
𝐶 *4
𝐶 *5
20m
s
at most 5 events
within 20 ms at most workload of
𝐶 *5 within 20 ms
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 10
Workload-arrival functions for multiple tasks
• The maximum interference a task may have on lower priorities in a
time interval Δ𝑡 is given through its WAF
• Sum of WAFs of group of tasks is the maximum interference through
the group
• Can encode interference from correlated activations
(group WAF smaller than sum of individual WAFs)
𝜶 𝟏(𝚫𝐭)
𝚫𝐭 5 10 15 20
1 2 3 4
𝜶 𝟐(𝚫𝐭)
25 30
5 6
𝚫𝐭 15
1 2 3
30
𝜶(𝚫𝐭)
𝚫𝐭 5 10 15 20
4 5 6
10
25 30
11 12
18
𝑪𝟏 = 𝟏, 𝑪𝟐 = 𝟑
sporadic task
with minimum
distance=5ms
sporadic task
with minimum
distance=15ms
+
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 11
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 12
Monitoring Workload-arrival functions for multiple tasks
Processor
τlc1
τlc2
• One monitor per group of tasks
of the same criticality level
• Monitor enforces workload-arrival
function for group
• Monitored task may exceed own
budget at cost of another in the
group
→ Relevant for sporadic tasks
that rarely reach worst-case
• Enforced Interference on lower
priorities:
𝐼𝑙𝑐 Δ𝑡 = 𝛼(Δ𝑡)
τhc
Interference:
𝛼(Δ𝑡)
𝐶
𝐶
𝐶
Mo
nito
r
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 13
Slack
Satisfaction of Workload-Arrival Functions
• Satisfaction check for new event:
∀𝑗 ≤ 𝑖: 𝜎𝐶 𝑙 ≤ 𝛼(𝜎𝑡 𝑖 − 𝜎𝑡 𝑖 − 𝑙 )
𝑗
𝑙=0
• Complexity depends on trace length 𝑖
𝜶(𝚫𝐭)
𝚫𝐭 5 10 15 20
4 5 6
10
25 30
11 12
18
𝑪𝟏 = 𝟏, 𝑪𝟐 = 𝟑
𝒕:
𝑪 :
Δt2 Δt3 Δt4
𝑖
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 14
Achieving Constant Runtime Overhead
• Limited arrival function can be checked with constant overhead
because everything beyond 𝒍 is trivially satisfied
• Network Calculus [LeBoudec01]:
„It is equivalent whether a trace is constrained through any wide-
sense increasing arrival function or through the corresponding sub-
additive closure.“
• Sub-additive closure is the largest sub-additive function smaller than a
given arrival function
𝜶(𝜟𝒕)
𝜟𝒕
𝜶(𝜟𝒕)
closure of 𝜶(𝜟𝒕)
𝒍
𝜶(𝒍)
∞
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 15
Achieving Constant Runtime Overhead
• Any sub-additive closure can be checked at constant time with
complexity 𝑶(𝒍)
• Arbitrary WAF can be conservatively monitored with sub-additive
closure smaller than the WAF
• Memory complexity is bounded through discretization of workload
and monitoring according to inverse WAF
𝜶(𝜟𝒕)
𝜟𝒕
𝜶(𝜟𝒕)
closure of 𝜶(𝜟𝒕)
𝒍
𝜶(𝒍)
∞
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 16
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 17
Evaluation
• Implementation in MicroC/OS-II on Cortex-M3
• Comparison: Individual vs. Group Monitoring
Evaluation of Slack Reclamation:
• Specified task set with sporadic activation
• Specified WAF/ Individual event-arrival functions
• Number of violations for individual vs. group monitoring
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 18
Evaluation of Slack Reclamation
• Individual vs. Group Monitoring of
sporadic tasks
• Metric:
• Relative number of violations:
𝑣𝑖𝑜𝑙𝑎𝑡𝑖𝑜𝑛𝑠 𝑔𝑟𝑜𝑢𝑝/𝑣𝑖𝑜𝑙𝑎𝑡𝑖𝑜𝑛𝑠 𝑖𝑛𝑑𝑖𝑣𝑖𝑑𝑢𝑎𝑙
Investigated parameters:
• total number of tasks
• utilization through sporadic tasks
• 2-16 sporadic
tasks
• 10%-80%
utilization
Processor
τlc
τlc
M
τlc
τlc
τhc M
M
M
Gro
up
Mo
nito
r
Testcase Generation:
• Random execution time in [1ms,5ms]
• Sporadic act. randomly with mean inter-arrival rate
(uniform distribution over [0, 2*dmean])
• Group WAF equal to sum of individual WAFs → no correlation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 19
Evaluation of Slack Reclamation
• Reduction of number of violations by 3x – 15x over different util.
• low sporadic load → correlation less probable
• Reduction of number of violations of at least 2x over different task num.
• more tasks → correlation less probable
better
better
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 20
Evaluation of Activation Correlations
Correlation:
An activation of one task must have a minimum distance to that of another
τlc1:
τlc2: dmin dmin
For a given trace with activation correlation,
what is the tightest monitor configuration that triggers no exception?
Evaluation of Activation Correlation:
• What is the benefit if task activations are not independent?
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 21
Processor
τlc
τlc
τlc
τlc
τhc
Evaluation of Correlated Sporadic Activations
• Enforced Interference of
Individual vs. Group monitoring
• Record tightest configuration from trace
• Interference permitted by ind. monitors:
Iind. Δ𝑡 = 𝛼 𝑗 Δ𝑡 ∗ 𝐶𝑗
𝑗
• Interference permitted by group monitors:
Igroup Δ𝑡 = 𝛼(Δ𝑡)
• Metric: mean relative interference
𝑚𝑒𝑎𝑛Δ𝑡
𝐼𝑔𝑟𝑜𝑢𝑝 Δ𝑡
𝐼𝑖𝑛𝑑. Δ𝑡
M
M
M
M
Gro
up
Mo
nito
r Interference
• Specified task set with sporadic activation
• Minimum distance between activations in the group
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 22
Evaluation of Correlated Sporadic Activations
Testcase Generation:
• 4 sporadic tasks
• Tasks activated at minimum inter-arrival rate
• Additionally minimum distance between activations in group
𝑑𝑚𝑖𝑛 = 𝜎 ∗ 𝐶 𝑚𝑎𝑥 with correlation parameter 𝜎 ∈ 0,1
• 𝜎 = 0 → no correlation (critical instant possible)
• 𝜎 > 0 → no two activations at the same time
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 23
Evaluation of Correlated Sporadic Activations
• Without correlation (𝜎 = 0) enforced interference of individual and
group monitoring is identical
• With correlation (𝜎 > 0) enforced interference through group
monitoring significantly lower
better
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 24
Conclusion
• Current monitoring schemes enforce interference/activation pattern
per task rather than per criticality level
• This prevents slack reclamation per class and over-isolates
We have presented
• Monitoring groups of tasks according to workload-arrival functions
• Constant overhead monitoring
• Allows to reclaim slack within a criticality group
• Allows to encode and enforce the effects of correlations among
sporadic task activations
Thank you for your attention.
top related