centrum voor wiskunde en informatica cwi,...
TRANSCRIPT
Schedulability Analysis of Concurrent Objects
Mohammad Mahdi Jaghoori
Centrum voor Wiskunde en InformaticaCWI, Amsterdam
IPA Spring days8 May 2008
Outline
1 IntroductionTask automataThe Creol subset
2 The timed model
3 A modular approachSchedulability analysisCompatibility checking
4 Conclusion
Mahdi Jaghoori (CWI) IPA - May’08 2 / 26
Task Automata - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
Mahdi Jaghoori (CWI) IPA - May’08 3 / 26
Task Automata - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
A
B
B
0
5
10
15
20
Mahdi Jaghoori (CWI) IPA - May’08 3 / 26
Task Automata - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
A
A
B
B
0
5
10
15
20
Mahdi Jaghoori (CWI) IPA - May’08 3 / 26
Task Automata - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
A
B
A
B
B
0
5
10
15
20
Mahdi Jaghoori (CWI) IPA - May’08 3 / 26
Task Automata - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
A
B
B
A
B
B
0
5
10
15
20
Mahdi Jaghoori (CWI) IPA - May’08 3 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task automata
Task automata model real time systems withNon-uniformly recurring tasksSingle processor
Timed automata extended with dynamically created tasks
Task characteristicsan abstraction of the computation (best-case and worst-caseexecution time)generated by timed events (timing constraints in timed automata)must finish within its (relative) deadlineits completion time may influence release of other tasks
Mahdi Jaghoori (CWI) IPA - May’08 4 / 26
Task Automata - Schedulability
SchedulabilityAll tasks are accomplished within their deadlines.
Schedulability is decidable in certain cases, likenon-preemtive scheduling strategy; orbest-case = worst-case; or...
Mahdi Jaghoori (CWI) IPA - May’08 5 / 26
Task Automata - Schedulability
SchedulabilityAll tasks are accomplished within their deadlines.
Schedulability is decidable in certain cases, likenon-preemtive scheduling strategy; orbest-case = worst-case; or...
Mahdi Jaghoori (CWI) IPA - May’08 5 / 26
Schedulability - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 4
B :best-case = 2worst-case = 5
A
B
B
A
B
B
0
5
10
15
20
Mahdi Jaghoori (CWI) IPA - May’08 6 / 26
Schedulability - Example
x > 7A(10) !
x := 0
x > 5B (6) !
x := 0
A :best-case = 3worst-case = 8
B :best-case = 2worst-case = 5
A3
10
15
20
25
30
A1
A1
A2
A2
A3
A4
Mahdi Jaghoori (CWI) IPA - May’08 6 / 26
Motivation
Use task automata ideas for schedulabilityanalysis of timed Creol models.
Mahdi Jaghoori (CWI) IPA - May’08 7 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
A Simplified Subset
Reactive asynchronous objectsObjects have one processor each
Communication:Asynchronous message passingIncoming messages are buffered (for each object)
Computation:No processor release points (methods run to the end)init message in buffer upon creation
Scheduling strategy (The order of executing incoming messages)Examples: First Come First Served (FCFS), Earliest Deadline First(EDF), Nondeterministic.Preemption is disallowed
Mahdi Jaghoori (CWI) IPA - May’08 8 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Example
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t (w:C2) ==worker = w;v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
class C2 beginvar v2 : i n t ;
op i n i t ==v2 = 0;
op b ( ) ==v2 = v2 + 1;! c a l l e r . a ( ) ;
end
class main beginop i n i t ==
var r1 : C1 ;var r2 : C2 ;r2 = new C2;r1 = new C1( r2 ) ;
endend
Mahdi Jaghoori (CWI) IPA - May’08 9 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Ideas and Problems
Idea:Each method can be one task.Model task generation patterns with task automata.
But,There are more than one processor
Tasks are specified (as timed automata) rather than executiontimes
and may create new tasks during its execution
Three categories of method calls (task generation)messages received from other objectsmessages sent out to other objectsself calls
Mahdi Jaghoori (CWI) IPA - May’08 10 / 26
Example: Object r1
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t ( ) ==v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
Mahdi Jaghoori (CWI) IPA - May’08 11 / 26
Example: Object r1
class C1( worker : C2) beginvar v1 : boolean ;
op i n i t ( ) ==v1 = f a l s e ;! th is . a ( ) ;! worker . b ( ) ;
op a ( ) ==i f ( v1 ) begin
worker . b ( ) ;end ;v1 = ~ v1 ;
end
Mahdi Jaghoori (CWI) IPA - May’08 11 / 26
Example: Object r1
Driver automaton
init
a
Mahdi Jaghoori (CWI) IPA - May’08 12 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Schedulability of an Object
Behavior AutomatonExecuting the abstract methods as controlled by the driver automaton
States: ((s, s′), [B1, . . . , Bl ])
s is the current state of driver automatons′ is the current state of the currently running method[B1, . . . , Bl ] is the current queueThere is a static bound q on length of schedulable queues
q = max(deadline) / min(best-case execution time)
ΣH = {!m(d)|m /∈ M} ∪ {?m(d)|m ∈ M} ∪ {m|m ∈ M}CH =
( ⋃i∈[1..n] Ci
)∪ CD
Mahdi Jaghoori (CWI) IPA - May’08 13 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Computing the Behavior Automaton
Receive: receiving message indicated in driver automatonSelf call
Invocation: when deadline value mentioned explicitlyDelegation: inheriting parent task’s deadline
External callInternal: transitions without sending/receiving messagesContext switch: when current method finishes
Queue overflow: go to error state (keeping model finite)Missed deadline: from every state to error state
Mahdi Jaghoori (CWI) IPA - May’08 14 / 26
Receive
((s, s′), Q, VS)m(d)?−−−−−−−−→
c∧L ; X ,ci =0−H ((t , s′), Q′, VS))
if sm(d)?−−−−→c ; X
−D t and
(L, ci , Q′) ∈ sched(Q, m(d)) and
length(Q) ≤ q
Mahdi Jaghoori (CWI) IPA - May’08 15 / 26
Self call: Invocation
((s, s′), [B1, . . . , Bl ], VS)m−−−−−−−−→
c∧L ; X ,ci =0−H ((s, t ′), Q′, VS)
if (s′m(d)!−−−→c ; X
−B1 t ′) and
(L, ci , Q′) ∈ sched([B1, . . . , Bl ], m(d)) and
(m ∈ M) and
l ≤ q
Mahdi Jaghoori (CWI) IPA - May’08 16 / 26
Self call: Delegation
((s, s′), [m1(d , c′), B2, . . . , Bl ], VS)m−−−−−→
c∧L ; X−H ((s, t ′), Q′, VS)
if (s′ m!−−−→c ; X
−m1t ′) and
(L, Q′) ∈ sched([m1(d , c′), . . . , Bl ], m(d , c′)) and
(m ∈ M) and
l ≤ q
Mahdi Jaghoori (CWI) IPA - May’08 17 / 26
External call
((s, s′), [B1, . . . , Bl ], VS)m(d)!−−−→c ; X
−H ((s, t ′), [B1, . . . , Bl ], VS)
if (s′m(d)!−−−→c ; X
−B1 t ′) and
(m /∈ M) and
l ≤ q
Mahdi Jaghoori (CWI) IPA - May’08 18 / 26
Internal action
((s, s′), [B1, . . . , Bl ], VS) −−−→c ; X
−H ((s, t ′), [B1, . . . , Bl ], VS)
if (s′ −−−→c ; X
−B1 t ′) and
l ≤ q
Mahdi Jaghoori (CWI) IPA - May’08 19 / 26
Context-switch
((s, s′), [B1, B2, . . . , Bl ], VS) −−−→Cl =0
−H ((s, start(B2)), [B2, . . . , Bl ], VS)
if s′ ∈ final(B1) and
Cl = local_clocks(B2) and
l ≤ q
The source state is “urgent”.
Mahdi Jaghoori (CWI) IPA - May’08 20 / 26
Overflow
((s, s′), [B1, . . . , Bl ], VS) →H error
if (l > q)
Mahdi Jaghoori (CWI) IPA - May’08 21 / 26
Deadline miss
((s, s′), [mi(di , ci), . . .], VS) −−−−→(ci<di )
−H error
Check deadline for every message in the queue.
Mahdi Jaghoori (CWI) IPA - May’08 22 / 26
How we do it
Mahdi Jaghoori (CWI) IPA - May’08 23 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Compatibility Checking
After each object is checked to be schedulablewith respect to its driver
Is a complete system containing these objects schedulable?Does the environment of each object respect the driver?
The composition of drivers should be an over-approximation of thereal system
What does over-approximation mean?A message m is sent to r1 only if expected by its driver (within thecorrect time interval); and,!m(d ′) matches ?m(d) in the driver of r1 only if d ≤ d ′
?m(d) in driver: m can be finished within d time units!m(d ′) in the system: requiring that m should finish within d ′ timeunits
Mahdi Jaghoori (CWI) IPA - May’08 24 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Test Compatibility
The product of all drivers (A) should be an abstraction(over-approximation) of the whole system (S)Take a (timed) trace in A
Using UPPAAL model checkerCheck the negation of a desired property
Add to each state a transitionto a FAIL statecatching incompatible behaviors
If FAIL is not reachable, it is inconclusive.
Mahdi Jaghoori (CWI) IPA - May’08 25 / 26
Conclusions and Future Work
We adjusted task automata for a subset of CreolConsidering self-calls/delegationTasks specified (instead of best and worst-case execution times)
Schedulability analyzed for each classThe expected use pattern modeled in driver
For a complete system, compatibility is tested.
Future workSchedulability analysis for complete Creol language
Synchronous communicationProcessor release points
Scheduler specification
Mahdi Jaghoori (CWI) IPA - May’08 26 / 26