monitoring of workload arrival functions for mixed ... · platzhalter für bild, bild auf...
TRANSCRIPT
Platzhalter für Bild, Bild auf Titelfolie hinter das Logo einsetzen
Moritz Neukirchner, Philip Axer, Tobias Michaels, Rolf Ernst
Monitoring of Workload Arrival Functions for
Mixed-Criticality Systems
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 2
Requirement of Safety Standard IEC61508
What is
sufficient independence
?
IEC61508:
“For a […] system that implements […] functions of different safety […]
levels, unless it can be shown there is sufficient independence […], the
requirements applicable to the highest relevant safety integrity level shall
apply […].”
IEC61508:
“the probability of a dependent failure between the non-safety
related and safety-related parts is sufficiently low”
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 3
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Tasks of different
safety-criticality
• Specification of activation
pattern and WCET
• Timing analysis yields
maximum interference from
low to high criticality
• For certification of τhc only the
cumulative interference of
higher priorities is relevant
• Interference from untrusted
(i.e. low criticality) tasks must
not exceed analysis bounds
→ Enforcement
ANALYSIS
𝑃, 𝐽
𝑃, 𝐽
𝑃, 𝐽 τhc
Interference
𝐶
𝐶
𝐶
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 4
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 5
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
This monitoring is overly restrictive
because the interference among low-criticality tasks is also
enforced.
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 6
Mixed-Criticality and Sufficient Independence
Processor
τlc1
τlc2
• Actual execution times
• Enforcement through
execution time monitors
• Traces
• Enforcement through
activation pattern monitors
(e.g. [Wrege96], [Lampka11],
[Neukirchner12])
• Enforced Interference
𝐼𝑙𝑐 Δ𝑡 = 𝐶 𝑙𝑐1 ∗Δ𝑡+𝐽𝑙𝑐1
𝑃𝑙𝑐1+
𝐶 𝑙𝑐2 ∗Δ𝑡+𝐽𝑙𝑐2
𝑃𝑙𝑐2
ACTUAL SYSTEM
τhc
Interference
𝐶
𝐶
𝐶
Mo
nito
r M
on
itor
Interference
• Over-enforces if low criticality tasks (typically) do not experience
worst-case simultaneously (e.g. uncorrelated sporadic tasks)
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 7
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 8
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 9
Modelling Arbitrary Activation Patterns
• Event-arrival functions specify the maximum number of events that
may occur in a time-interval of size 𝚫𝐭
• Workload-arrival functions (WAF) specify the maximum workload
that may be requested in a time-interval of size 𝚫𝐭
𝛼 (Δ𝑡)
Δ𝑡
1
2
3
4
5
20m
s
𝛼(Δ𝑡)
Δ𝑡
𝐶 *1
𝐶 *2
𝐶 *3
𝐶 *4
𝐶 *5
20m
s
at most 5 events
within 20 ms at most workload of
𝐶 *5 within 20 ms
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 10
Workload-arrival functions for multiple tasks
• The maximum interference a task may have on lower priorities in a
time interval Δ𝑡 is given through its WAF
• Sum of WAFs of group of tasks is the maximum interference through
the group
• Can encode interference from correlated activations
(group WAF smaller than sum of individual WAFs)
𝜶 𝟏(𝚫𝐭)
𝚫𝐭 5 10 15 20
1 2 3 4
𝜶 𝟐(𝚫𝐭)
25 30
5 6
𝚫𝐭 15
1 2 3
30
𝜶(𝚫𝐭)
𝚫𝐭 5 10 15 20
4 5 6
10
25 30
11 12
18
𝑪𝟏 = 𝟏, 𝑪𝟐 = 𝟑
sporadic task
with minimum
distance=5ms
sporadic task
with minimum
distance=15ms
+
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 11
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 12
Monitoring Workload-arrival functions for multiple tasks
Processor
τlc1
τlc2
• One monitor per group of tasks
of the same criticality level
• Monitor enforces workload-arrival
function for group
• Monitored task may exceed own
budget at cost of another in the
group
→ Relevant for sporadic tasks
that rarely reach worst-case
• Enforced Interference on lower
priorities:
𝐼𝑙𝑐 Δ𝑡 = 𝛼(Δ𝑡)
τhc
Interference:
𝛼(Δ𝑡)
𝐶
𝐶
𝐶
Mo
nito
r
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 13
Slack
Satisfaction of Workload-Arrival Functions
• Satisfaction check for new event:
∀𝑗 ≤ 𝑖: 𝜎𝐶 𝑙 ≤ 𝛼(𝜎𝑡 𝑖 − 𝜎𝑡 𝑖 − 𝑙 )
𝑗
𝑙=0
• Complexity depends on trace length 𝑖
𝜶(𝚫𝐭)
𝚫𝐭 5 10 15 20
4 5 6
10
25 30
11 12
18
𝑪𝟏 = 𝟏, 𝑪𝟐 = 𝟑
𝒕:
𝑪 :
Δt2 Δt3 Δt4
𝑖
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 14
Achieving Constant Runtime Overhead
• Limited arrival function can be checked with constant overhead
because everything beyond 𝒍 is trivially satisfied
• Network Calculus [LeBoudec01]:
„It is equivalent whether a trace is constrained through any wide-
sense increasing arrival function or through the corresponding sub-
additive closure.“
• Sub-additive closure is the largest sub-additive function smaller than a
given arrival function
𝜶(𝜟𝒕)
𝜟𝒕
𝜶(𝜟𝒕)
closure of 𝜶(𝜟𝒕)
𝒍
𝜶(𝒍)
∞
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 15
Achieving Constant Runtime Overhead
• Any sub-additive closure can be checked at constant time with
complexity 𝑶(𝒍)
• Arbitrary WAF can be conservatively monitored with sub-additive
closure smaller than the WAF
• Memory complexity is bounded through discretization of workload
and monitoring according to inverse WAF
𝜶(𝜟𝒕)
𝜟𝒕
𝜶(𝜟𝒕)
closure of 𝜶(𝜟𝒕)
𝒍
𝜶(𝒍)
∞
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 16
Outline
• Modelling workload of arbitrarily activated tasks
• Monitoring of workload-arrival functions
• Checking traces
• Achieving constant runtime overhead
• Evaluation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 17
Evaluation
• Implementation in MicroC/OS-II on Cortex-M3
• Comparison: Individual vs. Group Monitoring
Evaluation of Slack Reclamation:
• Specified task set with sporadic activation
• Specified WAF/ Individual event-arrival functions
• Number of violations for individual vs. group monitoring
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 18
Evaluation of Slack Reclamation
• Individual vs. Group Monitoring of
sporadic tasks
• Metric:
• Relative number of violations:
𝑣𝑖𝑜𝑙𝑎𝑡𝑖𝑜𝑛𝑠 𝑔𝑟𝑜𝑢𝑝/𝑣𝑖𝑜𝑙𝑎𝑡𝑖𝑜𝑛𝑠 𝑖𝑛𝑑𝑖𝑣𝑖𝑑𝑢𝑎𝑙
Investigated parameters:
• total number of tasks
• utilization through sporadic tasks
• 2-16 sporadic
tasks
• 10%-80%
utilization
Processor
τlc
τlc
M
τlc
τlc
τhc M
M
M
Gro
up
Mo
nito
r
Testcase Generation:
• Random execution time in [1ms,5ms]
• Sporadic act. randomly with mean inter-arrival rate
(uniform distribution over [0, 2*dmean])
• Group WAF equal to sum of individual WAFs → no correlation
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 19
Evaluation of Slack Reclamation
• Reduction of number of violations by 3x – 15x over different util.
• low sporadic load → correlation less probable
• Reduction of number of violations of at least 2x over different task num.
• more tasks → correlation less probable
better
better
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 20
Evaluation of Activation Correlations
Correlation:
An activation of one task must have a minimum distance to that of another
τlc1:
τlc2: dmin dmin
For a given trace with activation correlation,
what is the tightest monitor configuration that triggers no exception?
Evaluation of Activation Correlation:
• What is the benefit if task activations are not independent?
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 21
Processor
τlc
τlc
τlc
τlc
τhc
Evaluation of Correlated Sporadic Activations
• Enforced Interference of
Individual vs. Group monitoring
• Record tightest configuration from trace
• Interference permitted by ind. monitors:
Iind. Δ𝑡 = 𝛼 𝑗 Δ𝑡 ∗ 𝐶𝑗
𝑗
• Interference permitted by group monitors:
Igroup Δ𝑡 = 𝛼(Δ𝑡)
• Metric: mean relative interference
𝑚𝑒𝑎𝑛Δ𝑡
𝐼𝑔𝑟𝑜𝑢𝑝 Δ𝑡
𝐼𝑖𝑛𝑑. Δ𝑡
M
M
M
M
Gro
up
Mo
nito
r Interference
• Specified task set with sporadic activation
• Minimum distance between activations in the group
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 22
Evaluation of Correlated Sporadic Activations
Testcase Generation:
• 4 sporadic tasks
• Tasks activated at minimum inter-arrival rate
• Additionally minimum distance between activations in group
𝑑𝑚𝑖𝑛 = 𝜎 ∗ 𝐶 𝑚𝑎𝑥 with correlation parameter 𝜎 ∈ 0,1
• 𝜎 = 0 → no correlation (critical instant possible)
• 𝜎 > 0 → no two activations at the same time
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 23
Evaluation of Correlated Sporadic Activations
• Without correlation (𝜎 = 0) enforced interference of individual and
group monitoring is identical
• With correlation (𝜎 > 0) enforced interference through group
monitoring significantly lower
better
3 December 2013 | Moritz Neukirchner | Monitoring of Workload Arrival Functions for Mixed-Criticality Systems | Slide 24
Conclusion
• Current monitoring schemes enforce interference/activation pattern
per task rather than per criticality level
• This prevents slack reclamation per class and over-isolates
We have presented
• Monitoring groups of tasks according to workload-arrival functions
• Constant overhead monitoring
• Allows to reclaim slack within a criticality group
• Allows to encode and enforce the effects of correlations among
sporadic task activations
Thank you for your attention.