Kernel support for embedded reactive systems by Ackerman, M. C . (Marthinus Casper)
Kernel support for embedded reactive systems
A THESIS
SUBMITTED TO 1'RE DEPAI.TMENT OF COMPUTEI. SCIENCE
OF THE UNIVER.SITY OF STELLENBOSCH
IN PAR.TIAL FULFILMENT OF THE R.EQUII.EMENTS
FOR. THE DEGI.EE OF
MASTER. OF SCIENCE
By
Me Ackerman
October 1993
Superviaed by: Mr P.J.A. de Villiers
Declaration
I the underaiped hereby declare that the work contained in thia thelis is my own orisinal
work and has not previously in ita entirety or in part been submitted at any univenity for a.
d~.
Sip.ature: Date:
Stellenbosch University http://scholar.sun.ac.za
Abstract
Reactive systems are event driven state machines which usually do not terminate, but remain
in perpetual interaction with their environment. Such systems usually interact 'With devices
which introduce a high degree of concurrency and some real time constraints to the system.
Because of the concurrent nature of reactive systems they are commonly implemented as
communicating concurrent processes on one or more processors. Jeffay introduces a design
paradigm which requires consumer processes to consume messages faster than they are pro-
duced by producer processes. If this is guaranteed, the real time constraints of such .. system
are always met, and the correctness of the process interaction is guaranteed in terms of the
mesA&e passing semantics. I developed the ESE kernel, which supports Jefl'ay 5y.tems by
providiD! li!htweight procestes which communicate over asynchronous channels. Proceues
are Kheduled non-preemptively according to the earliest deadline first policy when they have
messases pending on their input channels. The Jeffay design method and the ESE kernel
have been found to be highly suitable to implement embedded reactive systems. The seneral
requirements of embedded reactive systems, and kernel support required by such systems, are
discussed.
Stellenbosch University http://scholar.sun.ac.za
OpsolDlDing
Reaktiewe stelaels is toeatandsoutomate wat aallgedryf word deur sebeure in hulomsewins.
So 'n stelsel termineer gewoonlik nie, maar hly in 'n voortdurende wilaelwerkins met tontelle
in sy omgewing. Toestelle in die omgewing van 'n reaktiewe stelael veroorsaak in die algemeen
'n hoe ma.te van gelyklopendheid in die stelael, en plaas gewoonlik sekere intydse beperkings
op die stelsel. GelyJdopende stelsels 'Word gewoonlik u stelael. van kommunikerende pIOleSle
seimplementeer op een ofmeer proses80fI. Jeffay beskryf 'n ontwerplmetodologie waarvolgens
die ontvanger van boodakappe hulle vinniger moot verwerk as wat die sender hulle b.n stuur.
Indien hierdie sedrag tunen aile pare kommunikerende proseue gewaarbors kan word, sal die
stelael altyd 8y intydse beperkings gehoorsaam, en word die korrektheid van interaksie. tunen
plOIeUe deur die semantiek van die boodska.pwiueling gewaarbors. Die "ESE" bedryfatelsel-
kern wat ek ontwikkel het, ondersteun stelsels wat ontwerp en geimplementeer word volgen.
Jefray 1M! metode. Proeene kommunikeer oor asinkrone kanale, en die ontvanger van die
boodlbp met die vroegste keertyd word altyd eerste geskeduleer. Jeffay se ontwerptmetode en
die "ESE" kern blyk in die praktyk bale gesldk te wees vir reaktiewe stelsel. wat as sublte1seLl
van poter atelse1s uitvoer. Die vereistes van reaktiewe subatelsels, en die kemondersteuning
wat daarvoor nodig is, word bespreek.
Stellenbosch University http://scholar.sun.ac.za
Acknowledgentents
My thanks to:
• my supervisor, Pieter de Villiers, for his ideas, advice &Ild Suid&llce;
• Prof Tony Krzesinski for goading me whenever he saw me, none the leu remainins
patient; and
• Charlotte Ackerman for having unwavering faith in my completion of this thais, con-
stantly 8upportinS me, and for cheerfully puttins up with the disruption and .treu
caused by it.
Stellenbosch University http://scholar.sun.ac.za
Contents
Abdract
OpltOmming
Acknowledgements
1 Introduction
1.1 The subject of this thesis
1.2 Outline of this thesis • • . •
iii
•IV
V
1
2
2
2 Background S
2.1 Schedu1in~ al~orithms for multiprogramming in a hard-real-time environment 3
2.1.2 Deadline driven schedulin~
2.1.1 Rate monotonic scheduling
. .. .. . . . . . . . . . .. . . . .. .. .. . . . . . 5
2.1.3 Hybrid schedulin~ algorithms . • • . . . . . . . . . 6
2.1.4 Run-time VS. pre-run-time scheduling ••.•.....••. .. . .. .. . . 7
2.2 Specification and analysis techniques for real-time systems. . • • • • . . • • • 8
2.3 Operatinr; systems for real-time systems . • • . . . . • • . . . • • • . • . • •. 10
2.4 The real-time producer/consumer paradigm • • • . . • • • • • • • . . . • • •• 12
2.5 Discul8ioD.................... '" . ... .. .. .. .. . .. .. .. .. . .. .. .. .. . .. . . .. . • '" 12
Stellenbosch University http://scholar.sun.ac.za
3.1 Introduction If III II
:I The real-time produc:er/c:on~umer(RT/PC) paradigm
3.4 Calculating channel input rates . . . . . . . . .
3.4.1 Calculating message output rates.
3.4.2 Calculating message input rates ..
3.2 System components and graphical notation .•••.
3.2.1 Processes and channels. • . . • • . • • • . . .
3.2.2 Input and output devices .•......•••
15
15
16
18
19
20
21
22
22
22
23
23
24
24
26
.. .
to ... • • • • • •
. .. . . .. .
3.2.3 Mutual exclusion regions and data repositories ..
3.2.4 Well-formedneas of design graphs • . . • • • • • • .
3.3 Mesaage passing semantics. . • . . . . . . . • • . . . • . .
3.3.1 Message transmission rates . . . . . . .
3.3.2 Restrictions on process construction . .
3.5 Scheduling results ...•......
3.6 Implementing RT fPC designs . • . •
.. The ESE Kernel
4.1 Embedded Reactive Systems
4.2 Events...................................... '" .. .. . . . .. .. . ,. • .
4.3 Preemptive and Non-preemptive Scheduling . . . . . . . . . . . . . . . . • • .
4.3.1 Support for RTfPC ...•.............•...•.....•
4.3.2 Scheduling efficiency . . . . • . . . . . . . . . . . . . . . • . . . . . . .
4.3.3 Support for state machines . . . . . . . . . • . . . . . . . . . . • . • •
4.3.4 Des.j~ decision .. .. • • .. .. . .. .. .. . .. .. .. .. .. .. .. .. .. .. .. .. .. .. • .. .. • ....
4.4 Periodic VB Sporadic Processes ••..•.•..•••....••..••..••
28
29
32
34
34
34
35
35
36
Stellenbosch University http://scholar.sun.ac.za
4.5 Data Repolitoriel and Synchronous Meua«e Pu.ing . • • . . . • . • • • •••
4.6 Synchronoul vs A.ynchronoul Chenel. . • • . • . • • • • • • • • • • • . • • •
4.7 Mutual Exclusion ReKionl ..•.••••.....••....•....•••••
4...8 Interrupts and Events . . . .. .. .. .. .. .. .. .. . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .
4.9 Timers........................................................................ ..
4.10 Implementation of Scheduling ...........••.•..•.•••.••••
4.10.1 System clock granularity. • . • . • . . . • • • • • • • • • • • • . • . • .
4.11 Penorm&llce of ESE .
38
38
39
40
43
44
48
50
5.2 X.25 cue study - requirements definition ....•••••••••....•••
5..3 SYltem desip .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
5.4.5 Viability analysi. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . .. • •
5.4.6 Viability of the X.25 example . • . . . . . . . . . . • • • . . • . • • • •
5.5 rr:fPC and ESE in practice - IIOme obeervations ••••...•.•••.•.
5.5.1 TJae area of applicability of ESE .•.•••••..•..••••••••
5.5.2 The etrort of de.ipin« for RTfPC and ESE • • • . . . . • • • . . • • .
5.3.1 Block desip of X.25 system. . • • . • • . . . . . . . • • • • • • • • • •
5,.,3.2 Process decomposition .
5.4 Desip and analysis of RT fPC systems . . • • . . . • . . . . . . . . . . . . • •
5.4.1 Realisability of a de.ip Uaph ••..••.••••.•........•
5.4.2 Realisability of the X.25 design . • . . • • . • • • . . • • • • . . . . • •
5.4.3 Implementin« the desip Uaph • • . • • • • • • • • • • • • • • • • • • •
5.4.4 Implementation mappin« of the X.25 example • • • • • • . • • . . . . .
14
54
54
58
58
60
61
61
62
67
70
73
74
79
81
81
III .. II .. .. .. .. .. .. .. .. .. .. II .. III .. .. .. .. .. .. .. ... ..5.1 Introduction............
5 DevelopinS Reactive Syatema
Stellenbosch University http://scholar.sun.ac.za
.. .. .. ... .. #I • .. .; • It • .. It .. .. .. *' • ..5.5.3
5.5."
ReaUlablUty and viability analysil
Performance of ESE implementatioRa .. .. .. .. .. .. .. .. • • if" .. l/I .. .. .. • ..
81
82
5.6 Summary or method .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. . .. .. .. .. .. .. .. .. .. . 82
5.6.1 Requirements definition .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. " .. .. .. 82
5.6.2
5.6.3
5.6.4
5.6.5
5.6.6
5.6.7
System design.. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
RT fPC design
Realisability analysis .. .. .. .. .. . .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. • .. ....
Implementa.tion mappins
Viability analysis .. .. .. '" .. .. .. '" .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ..
Implementation . . . . . . . . . . . . . . . • . . • • . . • • . • • • • • •
82
83
83
83
83
84
.. .. .. l1li .. .. .. '" .. .. .. .. ... .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. III .. .. .. .. .. .. .. .. .. .. ..
Conchuion
A ESE interlace typ_ and command.
A.I Types
85
3D
89
A.I.! Alarm .. .. III .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 89
A.l.2 AsyncChannel .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. 89
A.l.3 InputPort .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. ... 9()
A.l.4 Mailoox.............................................,............. 9()
A.l.5 M~e..... . . . .. .. . . . .. . . .. .. .. . . .. .. .. .. .. .. .. .. .. .. .. .. .. ... 9()
A.1.6 NaJ:le
A.l.7 Octet
. . .. .. .. .. .. .. .. .. .. .. .. .. . . .. .. .. .. .. . .. . .. .. .. .. . . .. . .. .. .. ..
.. .. .. .. . .. . .. .. .. .. . .. .. .. .. . .. .. .. .. . . .. .. . ,. .. .. .. .. .. .. .. .. ..
90
90
A.l.8 Proceu . .. .. .. .. .. .. .. .. ... .. .. . .. .. .. ... . 90
A.l.9 1l~ .. .. .. .. . .. .. .. .. . .. . .. .. .. .. .. .. .. .. . .. .. . .. . .. .. .. .. .. .. .. . .. 91
A.I.10 Time.. .. .. .. .. . .. .. .. .. .. .. .. .. .. • .. .. .. • .. .. .. .. .. .. .. .. .. .. .. .. • . .. .... 91
A.l.ll Timer .. . .. .. .. .. .. . . .. .. . .. . .. .. .. .. .. .. . . .. .. .. .. .. .. . .. .. .. . .. .. .. 91
Stellenbosch University http://scholar.sun.ac.za
A.l.12 Vle-rRef . . .. II. • • • • l1li • .. • • .. .. .. • • .. • • • • • • • '* .. II- .. • • .. •• 11
A.2 CreateProc... . . . . . . .. . . .. .. . . . .. . . . .. . . .. . .. . . . . . . .. .. . .. 11
92. .. .. . . .. . .. .. .. . . .. .. . .. .. .. . .. .. .. . . . . . ..... ...
CreAteA.yncChannel
CreateMailboxA.4
A.3
A.5 CreatelnputPort
A.6 StutSyatem.. . . . . .. . . . . . .. . . . . .. . . . . . . . . . . . .. . . .. . . .. ... 93
A.7 SendMeuapOnAlyncCh&nnel 93
A.8 PutlntoM.ailbox.. . . . .. .. . . .. . . . . . . . . . .. . .. .. . . . . . .. . .. . .. .. .... 93
A..9 Si,snalInputPort.. .. . . .. .. . l1li .. • .. • • .. • • • .. • • .. .. • • • .. • .. .. .. • .. • •• H
A.I0 Receive
A.l1 SetTimer 95
A.12 SetAlarm 95
A.13 StopTimer. • . • • . . • • . 95
A..14 StopAlarJll. . .. . .. .. .. .. . . .. .. .. .. .. .. .. .. .. . . . . . . .. . .. . . . . . .. .. .. .... 9fi
Stellenbosch University http://scholar.sun.ac.za
List of Tables
1 Talk Switchins Overhead .•.•.... . . • • . . . . . . . . • . . • • • . .. 52
2 Timer Proceuing Overhead . . • • . . • • . . • • . . . . . . . . • • • . • . •• 53
3 Viability Condition 1 - Maximum Channel Rate . . . . . . • • . . • . • • •• 77
4 Viability Condition 1 - Adjusted Channel Rate ..............•• 78
Stellenbosch University http://scholar.sun.ac.za
List of Figures
1 Real-"lme producer/consumer paradigm • . . • . • . . • • . . • • • • • • • •• 16
2 An RT/PC desi«n graph • . . • . • • • . . • . . • . . . . . . . . . . . . . . .• 17
3 Schema for an RT/PC process .•••..•.................•. 19
.. A schema. for an RTIPC data repository • . . . • . . • • . . . . . . . . . . .. 21
5 Meuase transmission rate function . • • • . . . • • . . . . . . . . . . . . . .. 24
6 Input rate definition for MPIse processes . . . . . . . • • • . • . . . • . . .. 24
7 Reactive system. . . . . . . " . . . . . . . .. . . " . . • • • . . " . . " . . . •. 30
8 Information frame format . • • • . . . • • . • . . • • . • • . • • • . . • • . •. 41
9 Fut Interruptins Device: Unrealisable System ..•••.......••... 41
10 Fut Interruptins Device: Realisable System . . . . . • • . . . . . . . . . . •• 42
11 SchedulinS with course clock ticks .•..•....•.••..•......•• 50
12 SchedulinS with inserted fine &lain clock ticks . • • • . . . . . . . . . . . . .. 51
13 Tuk switching COlt of channels • • • • • . • . . . . . . . . . • . • . . . . . .. 52
14 Block di~am of iX.25 hardware . • . • • • • . . . . . . . . . . . . . . . . .. 56
15 OSI/X.2fj/implementation correspondence. • • • • • • . . . . • • • . . . . .• 59
16 Protocol machine implementations • • . . . . . • • . • • • • • . • • . . . . .. 60
17 Nest.ed. cycles • • • • • • " • " " . . . • • " • .. " " • . " • " ~ • " " " " " • • ." 62
18 -aT/PC detip. of X.25 .. " . " . • " . • .. . . . . • . • . . . . . . • . . . • . ." 63
Stellenbosch University http://scholar.sun.ac.za
19 Reduced. unotated aT/PC delip for X.25 . . . • . . . • • • • . • • • • . •• 15
20 Refined model of X.25 for implementation • • • • • • • • . • • • • • • • • • •• 71
21 Input File for Viability Condition 2 Checker. • • • • • • • . • • . • . . . . •• 71
22 Output File of Viability Condition 2 Checker . . . • • • . • • • • • • . . • •• 80
23 Output File of ViabiUty Condition 2 Checker: Continued .•••••••••• 80
Stellenbosch University http://scholar.sun.ac.za
Chapter 1
Introduction
The proliferation of cheap microprocessor. over the past decade has led to a trend ofdi.tribut-
in~ intellisence in a computer system, and to embed intelligent applications in lub,y.tem•.
Integrated single chip and chip set solutions has made it cheap and easy tf) produce rela·
tively powerful embedded and stand-alone platforms. These platforms are used in a variety
of application.: from bu. expansion cards, such as intelligent communications controllen, to
stand-alone devices such as process controllers and hand held computers.
The intellipnce available in embedded platforms, today, facilitates very powerful embedded
applications. At the same time, economical considerations often dict~te that commercial and
industrial systems be built on the cheapest potlsible platform. TWa usually result, in a leu
powerful processor, and leas memory, than the software engineer would hiO.ve preferred. In
contrast, operatinK systems are becominK more complex, and small embedded platforms can
often not support their resource requirements.
An embedded system usually interacts with devices in its environment. Such devices often
introduce real-time constraints on the device drivers controlling them. By real-time we mean
that the correctness of the system depends on its processing of certain events within a known
interval, in other words: before a deadline. In some real-time systems a missed deadline may
have catastrophic results. Such systems are usually called hard reol-time systems. Examples
of hard real-time systems are on-board ftiKht control systems, medical control systems, etc.
Other real-time systems can recover from missed deadlines, and are know as 30ft rt!tJ1-time
systems.
Pnueli [45] describes two basically different views of computerised systems. The first, called
traruJormational 8J/8tem&, refers to systems which accept their inputs at the ~nnin~ of
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 1. INTRODUCTION 2
their operation, and yield their outputl at termination. The .ec:ond, called mJctive ".te"."
are .y.tem. which typically don't terminate, but remain in perpetual interaction with their
environment. Reactive Iyatema are not used to obtain & final result, but rather to COIltroi
onloins procetlel. Embedded .y.tems are often reactive .y.tem••
1.1 The subject of this thesis
Small commercial and industrial embedded systems are often built on uniprocessor platfol'Dll.
The processor and RAM resources of these platforms usually do not permit the use of 10-
philticated .tate of the art operatin,; .ystems, but their reactive nature i. beat .upported u
a system of communicating processes. Furthermore, these systems interact with devices, and
therefore often have real· time constraints.
The purpoee of this study is to find & design and implementation methodology which il
suitable for the type of systems described above. The implementation strategy should euure
that the temporal correctness of a design is preserved in its implementation.
1.2 Outline of this thesis
This chapter introduces the concepts of real-time, embedded and reactive sy.tems, ud de-
scribe. the lubject of the thesis.
Chapter 2 deecriba the atate of the art in real-time scheduling techniques, operating .y.temJ
and design and analysi. methods. One method is cha.en for an experimental implementation.
Chapter 3 .ummariJeS the RT/PC ptJf'Qdigm: a desip and analy.i. method for real-t.ime
.y.tems. The paradip, ita graphical design notations, schedulin~ result., and realiaabllity
analysis are described.
Chapter .f examines the dMign, features and performance of the ESE kernel, which .upport.
implementation. of RTfPC desips.
Chapter 5 describes the desip, analysis and implementation of a real system. The RTfPC
metlaod i. UE to deaip the 'yltem, which il then implemented on an embedded ESE kernel.
Tmally, chapter 6 di¥CUS8el the conclusions drawn from usinK RTfPC and the ESE kerael in
practice.
Stellenbosch University http://scholar.sun.ac.za
Chapter 2
Background
In chapter 1, the goal of this study was stated to be an investigation into a design and imple-
mentation methodology, which is appropriate for uniprocessor based embedded systems. We
also saw that the concepts of real-time and reactive 8J/stems are pertinent to this study. The
implementation ofembedded systems, on the target platforms in which we are interested, will
require specific kernel support for reactive, real-time systems. To understand the background
to this study we must therefore survey the literature pertaining to real-time schedulins, re-
active and embedded systems, analysis and modeling techniques for real-time system", and
operatins system support for real-time systems.
2.1 Scheduling algorithms for multiprogramming in a hard-
real-time environment
This wu also the title of a landmark paper by Liu and Layland [39] in 1973, in which
the authors compared two preemptive priority scheduling techniques: a fixed priority and a
dynamic priority scheduling algorithm. In the fixed priority algorithm, priorities are assigned
to tuks according to the rate monotonic priority assignment method. In the dynamic priority
aJsoritbm, the priority of a task is determined by ita deadline. Liu and Layland's results are
for periodic tub scheduled on a uni~r, and ttub are independent. That is, requests
for a certain task do not depend on the initiation or completion of requests for other tuks.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND
2.1.1 Rate monotonic Icheduling
4
Let T = {T.,T2, ••• ,T",} be a set of m periodic tuks. Let each tuk T. = (Ci,Pi) be char·
acterised by its execution COlt, Ci, and its request period, Pi. The f'eq1'e.t rate ri of a tuk
is the reciprocal of its request period, and represents the frequency at which the tuk mut
be scheduled. A rate monotonic priority auignment to T implies that for all T.,Tj E T, the
priority assigned to T, is higher than the priority assigned to Tj iff Pi < Pj. Liu and Layland
proved that the rate monotonic priority assignment is optimal in the senle that if a feuible
priority uaignment exists for a task set, the rate monotonic priority "Iignment i. feuible for
that task set.
De8nition 1 A feasible set of tasks can be scheduled on a unip1'CJCeuor in .uch a 1lHJy tlwt
et1ery ezecution request of every task is guaranteed to have completed ezecution at or before
iu deadline.
De8nition 2 An optimal scheduling dilcipline can correctly schedule any tcuk let that
is fetuible.
Liu and Layland defined a proceuor utiluation factor, U, =~, for tuks. The total proceuor
utilisation for a set of tasks is given by
For a~venfixed priority scheduling algorithm, the leut upper boundofthe utilisation factor is
the minimum of the utilisation factors over all task sets that fully utilise the proceaor. If the
utiliu.tioD factor of a tuk set is below this bound, there exists a feasible priority auipment
for it. H the utilisation factor of a task set is above the least upper bound, it il feuible only
if the requelt periods of its tukl are related suitably. Liu and Layland proved that the leat
upper bound of the utilisation factO!' for a fixed priority auip.ment is
U :S m(2i!a - 1),
and for la.rse m
U ~ In2= 0.69
Lill and Layland's ori~ua1 work haa been extended significantly. Dhall and till [14], for
example, studied the performance of the rate monotonic fir.t fit and rote monotonic nezt
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND 5
/it IChedulinl allorithm. for multiproceilOr .y.tem•• Sha and Goodenough [SO] diKuII rtJt~
monotonic afUll!JN and live necessary 4Jld sufficient feuibiUty condition. for tuk lett which
exceed the least upper bound for fixed priority proceuor utili.ation. They alao dilCUJI how
aperiodic tasks can be supported, and give a sufficient feasibility condition for tub which
synchronise.
When tuks which are scheduled according to the rate monotonic algorithm synchronise, i.e.
the requests for a certain task may depend on the initiation or completion of requests for
other tasks, a situation called prioritll inversion arises. Priority inversion occurs when tasks
with different priorities come into contention for a shared resource, and a higher priority tuk
is blocked by a lower priority task. Davari and Sha [12] examine common source. of priority
inversion and outline a number of solutions to the problem.
The rate monotonic scheduling algorithm is popular today for scheduling sets of tasks with
hard real-time constraints [36, 60, 6], and rate monotonic analllsis can be used in conjunction
with other scheduling algorithms [6].
2.1.2 Deadline driven scheduling
The effect of using a deadline driven scheduling algorithm is to dynamically adjust the priori-
ties of tasks according to their deadlines. For a periodic task set Liu and Layland [39] derived
the following necessary and sufficient feasibility condition for a deadline driven scheduling
algorithm:
For a given .tet of m periodic ta3b, the deadline driven 3Cheduling algorithm i8
feui6le if and only if
This means that the least upper bound for processor utilisation is uniformly 100%. Two
deadline driven algorithms are commonly used:
1. The leut Mack fir.t algorithm selects the task with the least amount of slack before its
deadline. The difference between the remainder of a task's period (before its deadline)
and it. computational cost is known as its slack. This algorithm has been proved to be
optimal for uniprocessor systems [37].
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND 6
2. The earlie,' deadline !ir,' algorithm .elects the tuk with the earliest deadline to be
executed next. Thi. algorithm haa been proved to be optimal for both uniproceuof and
multiprocessor sy.terns [37].
Deadline driven scheduling is optimal for both periodic and aperiodic tub [8,28,9,39]. JeWay
[28] proved necessary and sufficient feasibility conditions for preemptive and Don-preemptive
earlie" deadline first scheduling of periodic and aperiodic tuks on a uniprocessor.
2.1.3 Hybrid scheduling algorhhma
Hybrids of fixed and dynamic priority algorithms are used for many reasoDS. Lin and Layland
[39] observed that interrupt controllers impose a static priority assignment on interrupt events,
even when deadline driven scheduling is used. Processor utilisation cannot be 100% for mixed
scheduling algorithms, but on average can be much higher than the least upper bound of the
processor utilisation for fixed priority schedulers [39].
In rate monotonic schedulerfi the priority of critical. tuks may be temporarily adjusted to
accommodate transient overload conditions [SO]. Miller [43] cites the neceuity to have func-
tional prioritisation in the presence of deadUne scheduling. Schwan and Zhon [49] describe a
preemptive earliest deadline first scheduler which performs dynamic feasibility analysis when
a tuk request is received. Since all deadlines cannot be paranteed in this environment a
secon<lary metric, called criticalneu is used to determine which task is scheduled when two
tasks cannot simultaneously meet their deadlines.
Bei:ause deadlines must be met in the worst cue behaviour or hard real-time systems, anal-
ysis of hard real-time systems is usually bued on the theoretical worst case behaviour of the
system. The average case behaviour may differ lignificantly from the worst cue, and ifsched-
ules are computed bued on worst case, under utilisation of resources may result. Hatdware
and IOftware monitors may be used to measure the real-time behaviour of real-time systems,
and adapt the schedulin! policy accordinAly. Haban and Shin [19] describe issneo relating
to real-time monitorins, and their experience with u.ing a hardware monitor, while Kenny
and Lin [3D] describe IOftwa.re monitoring in the Flex language and C++. Some real-time
operating systems include monitors to improve average system performance [58].
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2, BACKGROUND
2.1.4 Run-time v•. pre-run-time .cheduling
7
Because it is imperative for a hard real~tlme system to meet its deadlines, tuk schedules for
hard real~time systems are &Ometimea computed before run-time. A very simple run-time
scheduler is then used to select the next task from the pre-calculated schedule. Schedulinc
a task set before run-time can reduce the run-time scheduling overhead, because feaaibility
anaJ)'sis is not done when the task is scheduled t and it ensures that a feasible schedule exi.ts
before the task set is run. This approach is called pre-ron-time Khedulingt or 6tatic 6Chedvling.
Another approach is run-time or dynamic 6cheduling, where the schedule for & tuk set i.
calculated as task requests arrive. Except for a. closed task set, run-time IChedulinc implies
that feasibility analysis is required when a task request arrives. Burns [5] reviews current
scheduling techniques for hard real~time systems.
Xu and Parnas [65] argue that pre~run-timescheduling is essential to guarantee that a system
will meet all its timing constraints. In their experience most tasks in a. hard real-time environ-
ment are periodic t and any asynchronous (aperiodic) task can be translated into an equivalent
periodic tuk. For instance, let Til = (cII , PII' dlli ue an asynchronous task, with c. the wont
case computational COlt, P. the minimum period between successive requer.ts for T., and d.
its deadline. T. can be translated [65] into an equivalent periolic task, T,. .::: (r,.,e"pp,d,),
with release time r" = 0, computational COlt cp = f\1t deadline d. ~ dp ~ Cp , period
pp ~ min(d. - d" + 1,p.), In this way it is possible to schedule asynchronoUi taaks UI-
ing pre-run-time scheduling. Xu and Parnas [64] give a. pre-run-time scheduling algorithm for
processes with release times, deadlines, precedence and exclusion relations. Shepard [53] gives
a pre-run-time multiproceuor scheduling algorithm for the same class of processes. The origi-
nal algorithm by Xu and Parnaii was later also extended by Xu [63] to include multiprocessor
architectures.
Schwan and Zhou [49] argue that dynamic hard real-time systems, in their experience, have
to cope with unexp«ted sporadic (aperiodic) processes with hard deadlines. A schedule
of periodic t2Sks computed pre-run-time cannot adapt adequately to frequent unexpected
task requests with hard deadlines, Such task sets should be scheduled dynamically, but this
means that a feasible executing task set may be rendered infeasible by the arrival of a new
task request. Run-time feasibility analysis is therefore required before a new task request can
be scheduled. Schwan and Zhou preaent a preemptive earliest deadline first alCorithm with
run~timefeasibility analysis, A secondary metric, critical~is used to determine which tasb
are scheduled when the arrival of a new task request caUIeIS an infeasible schedule. When
a new task request arrives, only those tasks which are in contention with the new task are
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND
rescheduled. This keeps the run-time overhead of the scheduler low.
8
Chetto and Chetto [8, 9] use a. combination of static and dynamic scheduling for fault toler-
&Ilt hard real-time systems. For each task it is possible to schedule either a primary or an
alternative process. If a primary process fails, an alternative may be used to recover from
the failure. The primary processes are scheduled pre-run-time, and alterna.tive3 sporadically
when a primary fails.
2.2 Specification and analysis techniques for real-time sys-
tems
Embedded systems are hard to develop and test for a number of reasons. Because the hard-
ware platform of an embedded system is usually customised to the specific purpose of the
system, the usual development aids such as character I/O and interactive debuggers can often
not be used. Because an embedded system is often a subsystem of a larger system, it may not
be possible to test in isolation, and more seriously, it may have real-time constraints which
are hard or impoesible to create outside the actual target environment. In some critical hard
real-time systems, such &8 weapons systems, the prC'blem with testing and correcting errors
under operational conditions ill self evident.
De Roever [13] urges the development of a design specifica.tion which latime- ~ "full re-
quirements specification", followed by implementation accordins to fall-sate, fault tolerant
techniques. Rigorous specification development is only possible when a formal specifica~jon
method i. used, and preferably automated. Fault tolerant techniques are becoming more
COD".:\!.an [8, 9, 33, 37, 41, 54], and many analysis techniques have appear-ed. Although tht.!
definition of the term real-time depends on the perspective of the practitioner UliD!it, thf!re
are clear ca~ories and trends. The explicit use of time in the ~fi.catiODof zeal-time .ys-
tems evokes a wide ranse of responses. Turski [59J advocates tot21 avoidance of tte explicit
use of time, while others prefer stepwise addition of timin« constraint5 [23, 35]. At the other
extreme are totally time bued design and analysis methods, such as ra~ monotonic analysis:.
The followin~ papers provide review aspects of design a.nd analysis of real-time .ystems:
Heath [22] alpes in favour of multiprocessor design architectutesi Joseph and G06Wami [29]
review formal description techniques used for real~time .ystem;; and Hull, et al [26] compare
four methodg for real-time system development. We shall now briefly examine lOme £urrent
trend•.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND 9
State machine•• Harel [20} describel an extension of finite atate machinel t called StGIe-
charts. Statecharts is a visual formalism which allow. the specification of concurrent
components. u well aa their refinement and abltraction. It il well luited to the rilor-
ous specification of reactiv" systems and since the aemantia of statecharts are formally
specifiedt automated analysis of statecbart15 can be done (21].
Communicating Real~Time State Machines [52] is a notation for specifyin~ the require-
ments of real-time systems. It a.1lows the definition of a syr.tem of state macbinet that
communicate over unidirectional channels.
Temporal JoSie: and model e:hec:kinS have been used successfully in the verification of
concurrent systems [10]. Extended temporal logics can be defined [44, 45] to allow
quantitative temporal operators over bounded intervals. The resultant logics are uled
to specify real-time properties for models of finite state systems. These modell are
extended with a mechanism which allows the expression ofbounds on the delays between
state transitions. Model checking can be used to verify that the model satisfies the
specification.
Graph theory. Graphs can be used to model real~time systems [27, 28]. Real~time con~
straints can be specified for elements of a graph and used in a mathematical analysis
of the temporal behaviour of the system. The design method of the MARS rea1~time
operatin~ .ystem uses graphs to specify real-time transactions [34,33].
Proceu alJebra. CSP·R [40) is an extension of Hoare', Communicating Sequential Pro-
cesses [24, 25] by a real~time construct, wait t. Pregams with real~time constraints can
be written and statically analysed for temporal correctness. The maximal parallelism
approach to real-time programming, taken in CSP-R, ia criticised by Kurki-Suonio [35]
because of the interdependencies on the relative speed of processes which it introduces
into models.
Real-time anaIy.w for programming languages. Fugetta et al [15] exteIid Haase's [18)
extension of Dijkstra's ~arded commands by parallel ~arded commands (PARCs) for'
rea}·time PfO!l'&ms. Execution times for PARCs are specified as weakest preconditiou.
Shaw [51] deICribes a methodolOQ" similar to that of Fu~tta, et aI. He extend. Hoare
Josic to prove assertions about deadlines and timing constraints in hir;h levellanpap
progams.
Stoyenko et al [56] describe a system which supports paranteed schedulabllity of Real·
time Euclid progams. The system includes a Real-Time Euclid compiler, schedulability
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND 10
ualyaer. and a kernel which Ichedulea tub accordin,; to the Earlint Deadline Fir.t
policy on a multiproceuor hardware platform. It i. capable of luaranteeinl real·time
r"'ponae.
I have tried to ,;ive a brief overview of trend. in real-time .y.tem design. AI we .hall Me in
section 2.3, the trend in hard real·time operating systeml ia toward. distributed and multi-
processor architectures.
2.3 Operating systems for real-time systems
A larl'! number of real-time operating systems have been developed over the last decade. The
latest systems reflect the state of the art in hardware (distributed and multi-microprocessor
architectures) and the theory of analysis and 8cheduUng of real-time systems. We shall briefly
review some of the well documented examples.
ARTS [58] is an object oriented distributed real-time operating system kernel and a. real-
time toolset which consists of a 8chedulability analyser and a real-time monitor. ARTS
hu a time driven rate monotonic scheduler ud priority inheritance protocol to prevent
unbounded priority inversion. The scheduler can ,;uarantee hard periodic tub, and
perform criticality baaed 10ft real-time task IChedulinl, u well u overload control bued
on value functions of aperiodic tub.
CHAos·rc [17] is an object bued real-time operating system desiped for a multiproceaor
architecture. It can run on bare hardware, or on a.n existin~ operatin~ system [47,048].
Chaota supports lockable resources, and uses a run-time earliest deadline first lChedulin~
policy. Schedulability analysis is done dynamically and a priority auipment, bued on
the "criticalness" of the task, is uled to determine a feuible tuk set [4, 48].
Real-time thread. [47, 48] il a. pac~ which IUpports the progamminr; of concurrent
threads on &. UNIX platform. Since the package is built on top of a Itandard UNIX
platform, it is portable. Schedulin~ is earliest deadline, and uchedulability analysis
i. dODe when the thread i. created. Thread. communicate via lockable shued data
structures or signal.. See aUo Chaoearc•
FAIRCHILD [42] i. a real-time operatin~ .Yltem which runa on an embedded Intel 80386
sy.tem. It employ. a pndictive deadline .cheduling polic, (43] and supports multipro-
ceuiD~, 8eIIlaphorea and event mana«ement. In [42] Miller ~ves performance statistics
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND
for the syltem.
11
HARTS [54] (Hexaconal Architecture for Real·Time SYlteml) il a. melh of 19 nod_, each
con.ilting of application processorl, a network proceJlOr and a RISe proceaor. Each
node connects to 6 other nods via ill network proceuor. A di.tributed operating
system, HARTOS, consilts of a sin~e processor kernel running on each appUcatioll
proceuor. A distributed name service and both blocking and non-blocking inter-proceu
communication is provided. The scheduling policy is priority bued and proceues can
change their priority dynamically.
MARS [34, 33] (Maintainable Real-Time System) is a fault tolerant di.tributed real-time
operating system. The MARS architecture consists of a number of MARS component.
inter-connected on a synchronous real-time bus. Each component j. a computer on
which tuks are executed, and components are cIudered to man88e network complexity.
M~es in MARS are not consumed .. hen read. Instead, & message may be read
multiple times, and is overwritten when the system state changes. Tasb as well u
communication on the MARS bus is scheduled pre-run-time, and hard real-time tub
are periodic. Aperiodic tasks usually have soft deadlines, and are handled in system
idle time.
MaruU [38,37] is an object oriented distributed real-time operating Iy.tem which IUpport.
rault tolerance through replication. Maruti supports reactive systems in that tuk re-
quests may be entered dynamically when a previously paranteed schedule i. already
executing. Run-time schedulability analysis determines whether a new tuk request
can be guarant<.-ed to complete before its deadline. Tasks with no deadline &Daranteel
execute "off-line" when no real-time tasks are ready.
Sprins [55] is a distribut.ed real-time operating system kernel which gua.rantees deadlines.
It support. tuks with lockable resources, which are scheduled at run-time. Run-time
schedulability analysis determines whether a task's deadline can be guaranteed.
Tooth [7] is a sinpe processor real-time operatins system which .udesiped to be portable.
It run. on Data. General Nova and Texas Instruments minicomputers. Tub are Khed-
Wed on a priority buil, and a task is not preempted unless a hil!l:her priority task
becomea ready, or the task is blocked.
Commercially available real-time operatiDA' ayateDd. VRTX [46J is a commercially
available real-time operatin! system for embedded microprocessor application•• Tub
Stellenbosch University http://scholar.sun.ac.za
CIIAJlTER 2. BACKGROUND 12
are- acheduled by .. pre-empth'e priority bued .cheduler on a. uniproc::enor. Tub commu·
nicate throu«h .iAnal., mailboxel and queues. Variou. real·time ver,ion, of the UNIX
operatinS8yltem have been developed (lOJ. Intpl Corporation'. RMK kernel aDd IlMX
operatin«.ystem [1] are 10110 widely uted. QNX [31] i. a di.tributed real-time operatins
system which provides inter-procels communication tbrousb remote procedure calli.
The review of real-time operating systems provided here is by no means complete. The
intention is to reflect the current trends, and to highlight how both deadline driven and
priority based scheduling is employed both pre-run-time and at run-time.
2.4 The real-time producer/consumer paradigm
In 1989 Kevin Jeffay published his Ph.D. thesis [28] in which he describes a design method
for real-time systems. The method is based on the premise that a real-time system can
be understood in terms of producer/consumer relationships on system components. Jeffay's
paradigm requires that the k'n message sent on any channel must be consumed before the
k+ 1''\ message is sent. He calls this the Real-Time Producer/Consumer (RT/PC) paradigm.
Jeffay provel that both preemptive and non-preemptive deadline schedulins could be uled to
realise hi. paradigm. This makes it well suited to reactive real-time systems which are driven
by aperiodic (sporadic) events. The message passing semantics of the RTfPC paradigm makes
it pouible to reuon about time, and make accurate performance predictions.
In his thesis Jeff'ay describes a graphical design method which supports RTfPC~ and deter-
mines certain conditions under which an RTfPC design can be implemented with parantees
of temporal correctnen. These conditions can be used to support a design and development
method for real·time reactive systems which spans requirements analysis to implementation.
Given appropriate Iun-time kernel support, the Ieal~timebehaviour of a design can be SUar·
anteed at run·time.
2.5 Discussion
It .hould be clear from the brief survey of scheduling techniques that there are distinct camps
in the field ofIChedulin~for hard real-time systems. Both rate monotonic and deadline driven
lChedaliDS can be used to guarantee deadlines. Both techniques can be used in a static as well
Stellenbosch University http://scholar.sun.ac.za
CIIAPTER 2. BACKGROUND 13
as dynamic: Ic:hcdulins mechanism. lIybrid techniques (mixed priority and deadline driven
sc:hcdulinS, and dynamic priority adaption) are used widely.
The choice of Ichedulinr; algorithm (priority hued or deadline driven) and whether IChedulins
is aone pre-run-time <If at run-time, is dictated hy the nature 01 the r~a1-timeenvironment in
which the system will run. In environm~ntswhere sensors a.re regularly sampled, a periodic
task approach is suitable. In environments where a system hu to react to frequent sporadic
events, a deadline driven approach is appropriate.
If it is imperative that hard deadlines he met, pre-run-time Icheduling can guarantee a fea.-
sible schedule. In a closed task set deadlines can be guar'Ulteed by both deadline and rate
monotonic scheduling, hut rate monotonic is preferred in periodic task environments. If taak
requests can arrive dynamically, all deadlines cannot be guaranteed - a new task requNt
can render the current schedule infeasible. This means that run-time feasibility analysis mUlt
be done. If the new task set is infeasible, some tasks will not meet their deadlines. In a
hard real-time environment, critical tasks must therefore be ensured to remain in the feasible
schedule. This can be done by ensuring that they have a higher priority in a rate monotonic
scheduler, or to use a second priority metric in deadline driven schedulers.
Next generation real-time platforms tend to have multiproceuor or distributed architectures
with processors dedicated to specific purposes. Processor nodes sometimes consist of a eluater
of special purpose processors: application processor, network processor, off-line scheduler,
monitor, etc. The design and features of next generation real-time operating systelDl depend
on the environment in which it is used. Systems which support periodic tub are used
in periodic environments, such as pure control systems. Operatin& systems which IUpport
aperiodic processes are normally used in asynchronous environments, usually with deadline
scheduling. Fault tolerance is usually supported through repUcation. Failures of primary
tasks scheduled pre-run-time are recovered by backup tasks which are activated aperiodically,
and usually scheduled by deadline.
The goal of this study was stated in chapter 1 to be an investigation into a method of de--
sipl, analysis and implementation for small, uniprocessor based embedded reactive systems.
Run-time support for the method should allow guaranteed real-time behaviour, and the im-
plementation method should use resources such as CPU and RAM economically.
Since the systems in which we are interested consist of closed reactive task sets, deadline
schedulinS can be used to guarantee real-time behaviour. Jeffay's method suits the envi-
ronments for which the method is intended very well. In RTfPC messages flow through
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 2. BACKGROUND 14
the .y.t.m from input devices, tbroulh communicatinl proceun to output devic.. Deadli..
drive• .claeduUoS makes it well.uited to aperiodic environmentl, ud I.TIPC IImutkl allow
ripou. reuoainl about tbe tlmlnl of a .yltem'. real-time behaviour_ Finally, kerael ••pport
for RTIPC can be economically provided on the platrorma for whicla it i, Inteadecl. J.ay'.
method wu therefore chORD to be the lubject of an experimeDtal kernel.upport implemea·
taUon, u wellu a nontrivial reactive application. The relt of thi. thesis dscribM the kenIeI
implementation, ud the application of RTfPC in the desip, analy.i. ud implementatioll of
a real reactive application.
Stellenbosch University http://scholar.sun.ac.za
Chapter 3
The real-tim.e producer/consumer
(RTfPC) paradignt
3.1 Introduction
In this chapter we will examine Jeffay's method of design and analysis for hard real-time
systems [28]. Jeffay defines a model of hard real-time systems, which he calls the relIl-time
producer/con&Umer paradigm, and uses it as a semantic basis for a design discipline of real-
time systems. The method consists of a graphical design notation for describin« RTfPC
systems, and a sequence of analysis steps during which the semantic correctneu of the system
is determined. This chapter discusses the various components of the design method, and the
different aspects of analysis. More emphasis is laid in this chapter on the design method than
analysis, since the analysis of RTfPC systems is the subject of chapter 5.
Je1fay models a real-time system as a system of meMoge producers which communicate with
meuage consumers via unidirectional channels. Assuming that there is no propagation delay,
the consomer of a message receives it immediately after it was sent by the producer. If a
producer produces messages faster than the consomer can consume them, then no amount
of blltTerins is sufficient to prevent the 1068 of messages. To guarantee the correctness of the
system the consumer must process messages at least at the rate at which they are produced.
Baaed on this observation Jeffay defines the real-time producer/consumer paradigm (RTfPC)
as follows:
Definition 3 The consumer must proceu the it" output of the producer before the producer
Stellenbosch University http://scholar.sun.ac.za
CllAPTER 3. TJIE REAL-TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 16
Figure 1: Real-time producer/consumer paradi&m
Fisure 1 illultratel the RTfPC paradism. Producer and Comumer are proceuel, connected
hy a unidirectional channel. The rate (r) at which metAges can 80won the channel between
Producer and Consumer, is the reciprocal of the minimum period between any two mfta~es
on the channel (Pmi,,)'
3.2 System components and graphical notation
In this section we shall examine the components of Jefl'ay'a design discipline, and describe his
sraphical notation. The method is bued on the producer/consumer mode! of communicatins
r·roceues, and the design of a real-time system may be expressed &8 a directed sraph, G =
(V, E). V is the set of vertices, and can represent proceue" input device" o"'1*t device,
or data repomone,. E the set of edSel, and can represent unidirectional lynchronoUi or
asynchronous channels between the vertex components. A deaip can therefore contain1:
• Procelllle3 - machines which process messages. Proceues are gaphically denoted as
ovals.
• Channel. - unidirectional asynchronous connections between proceuee, or synchronous
connections between processes and datarepo.~itories.An asynchronous channeli.~h­
ically denoted by a aingle--headed arrow) a. synchronous channel by a double-headed
arrow.
• Data reporitorie, - machines which control access to data objects which are shared
between two or more processes. Data repolitories are gaphically denoted by two con-
centric ovals.
11 IlaYe .-ocIiW Jd'a)". oriciaal Irap1Licai IIOtatioa 8liPU)' wit. reaard to UP'll. ud otltptlt dewioes.
Jd'ay'. ori&iaal papIUcal aotatio...... darlreaed c:irde 1M iJlpat. de.x-•..d .. darb:aed ..d QacJ.l c:irde
- otlt.plIt deYic:a. I ue a bu Sot bot. upat aad otltpal dnka. laP'll aacI otllPal deYic:a caa .a.iU lie
uiq.. iclealihd: uplt dnices by tlleir up: otltsoiq direct.ed eel•• ud oatpat deYkes by t1leir Iiq1e
iaco-iwa edae· TIae llOhlioaal ellaa••u aea.itated by .. lad: of lIapJUal tooI.. ud iaca... 110 _ or
1RUIi... power 01" darity.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TIlE REAL4TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 17
1111 I--~d>-·
In, t-----.(
Figure 2: An RT fPC design graph
• Input device8 - process abstractions of physical devices which cause messages to How
into the system; denoted graphically by a bar.
• Output devices - process abstractions of physical devices into which messages flow out
of the system; denoted graphically by a bar.
• Mutual ezclvsion regions - sets of processes or data repositories which are implicitly or
explicitly required to execute mutually exclusively in time. An explicitly defined mutual
exclusion region is graphically denoted by enclosing itl members in & box.
Figure 2 is an example of an RT fPC design graph. In the figure we can identify the following
components:
• A, B, C, E and F are processes;
• D is a data repository;
• Inl and In2 are input devices;
• Outl and Out2 are output devices;
• The directed edges of the graph represent unidirectional channels.
• The box enclosing vertices E and F defines an explicit mutual exclusion region, consisting
ofE and F.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TilE REAL·TIME PRODUCER/CONSUMER (RT/JJC) PARADIGM 18
3.2.1 Proeeuel and channell
An RT/PC model represents & reactive system which perform. certain action. in re.ponle to
events that occur in its environment. In the mod~l event. are reprelented by meIHIe. which
are transmitted to processes by input devices or other proceue.. When a. proceu receive. &
mcssage it may perform certain operations, and send one or more messages in re.poBie to
other processes, data repositories or output devices.
An RT/PC process consists of a single execution thread, with a lingle entry point, wlUch
always starts with the reception of a message, and is defined by it. behaviour in re.ponle to
each mesaace it may receive. Each time a process completcs its execution thread it blocks
until it receives another message.
Fisure 3 shows a schema. for a.11 RT/PC process. The A CCEPT command blocks the proceA
until it receives a message (m$g). It then executes the body of the process, a.nd may call
A..EMIT and S..EMIT one or more times. A-EMIT is used to send & message to another
process or output device on an asynchronous cha.nnet. S-EMIT is used to send a synchronous
message to a data repository, and to receive a reply from it.
A process can receive messages on only one logical input port, but several asynchronoul
channels may connect to the same input port. A procen may emit menages on a let of
output portl, but only one message may be emitted on each asynchronous output channel
per execution of the process thread. The input and output port. of a process are Itatically
bound to communication channels for the lifetime of the system.
A channel is a connection between the output port of one process and the input port of
another process or data repository. H a process sends a message on a. synchronoul channel,
it await. and will receive a. response. A process which sends a message on an asynchronous
channel does not block, and does not receive & response to the message. All meu~ea lent on
a channel will be received by the receiving process. As long as a process does not emit two
messages on the same asynchronous channel during the same execution of the proce&S thread,
and if the system obeys RT/PC, no asynchronous channel will ever overflow. A 8ynch~'Onous
channel cannot be overflowed because the sending process is blocked until it receives the reply
from the receiver, at wlUch point the receiver is ready to receive another message.
Apart from the RTfPC paradigm, message passing in RTfPC has the following semantics:
• A process can only consume one message at a time; and
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TllE REAL-TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 19
Prace.:
BECaiN
ACCEPT (msg) ;
A..EMIT (ml) ; I· Asynchrouous emit ./
S-EAHT (m2, reply) ; /* Synchronous emit */
END;
Figure 3: Schema for an RT fPC process
• messages may be sent to a process on several input channels; therefore
• the reception of messages has to be interleaved in time.
• The receivins process cannot select which input channel it wishes to receive a message
from. The ACCEPT command will present it with the next message to process.
Becaule of the above, the temporal behaviour ota proceu i. not determined by how it handles
its connections, but by the input rate of its input port (bear i. miud that all input channela
of a proceu connect to one logical input port). One can therefore reuon about the temporal
beha.viour of a. process in terms of only the rate of its input port.
3.2.2 Input and output devices
Input and output devices are abstractions of the behaviour of the physical devices in the
environment of a system. Because an RTIPC system is reactive it is driven by the events
senerated by devices in its environment. These events enter the system in the form ofmelAle6
sent by input devices on uynchronous channels. Reactive sy.tems usually control devices, and
this i. modeled in RTIPC by sendins messages on asynchronous channels to output devices.
An input device behaves like a proceu which intermittently sends messages on an output
channel. We &Aume that there is a nonzero interval between any two meuases emitted by an
input device, with a known lower bound. It is important to know the worst caae (shortest)
interval between measasea from an input device, because it determines the rate ofdown tream
chaanela.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TllE REAL·TIME PRODUCER/CONSUMER (RT/PC) PARADIGAf 20
An output device behave- like a proce.. which i. alway. ready to receive a mC!llace OR aD
uynchroaou. chann.l. but doe. not emit men._ back into the Iy.tem. The reuoa for
havin~ output devices in a de-iln il to determine the temporal behaviour or the 'Yltem with
resard to each device it controls.
3.2.3 Mutual exclusion regionl and data repositoriel
Some proceuet which share &Ccesl to data. or devices have critica1teetion. in their execution
thread., which require exclusive access to the shared resource in order to execute correctly.
RT/PC allows the definition oC mutual ezclu.ion regiom which are set. of proceNM which
must be suaranteed to execute mutually exclusively. A aet of proceue. may be denoted
explicitly to constitute a. mutual exclusion region, by endDling them in a box u .hOWD in
fi~re 2.
A data repo.ito'1l encapsulates data which are shared between processes. It behavesllke a
reactive process with a single input port for one or more .~hronotu channels. Proceues
send requests to the data repository, which procease. each request atomically, and replies
to the requesting process. In this way it serialisell concurrent acceslel to shared data, thu.
enluring mutual exclulion. A data repository may not emit asynchronous meaagea - it may
only respond synchronously to received synchronous menages. Data repotitories therefore do
not have any output ports. Figure 4 shows a schema for a data repository.
A process or data repository logica.lly performs a single function. To ensure the predictable
completion of each execution of this function, messages from multiple sources are not allowed
to be processed simultaneously. Processes and data. repositories are therefore allowed only
one entry point where messages can be accepted. A process or data repository with multiple
input channels forms an implicit mutual exclusion region.
Jeffay sets two restrictions on the use of mutual exclusion re,tio:1s:
• Each component (process or data repository) may occur in at most one mutual exclusion
region; and
• processes and data repositories ma.y not be combined in one mutual exclusion region.
Jeffay does not give reasons for these restrictions, but deadlocks may occur if vertices are
freely combined in mutual exclusion regions. A process and data. repository in the same
mutual exclusion region would be unable to communicate, beca.use their execution is always
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TilE REAL·TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 21
DataRepolilory:
BEGIN
Accept (mil) ;
·
·
·Reply (value)
END DataRcpoIiitory ;
Figure 4: A schema for an RT/PC data. repository
interleaved in time.
3.2.4 WeJl-formedness of design graphs
Jeffay imposes two restrictions on the interconnections of processes:
1. There must exist a path from at least one input device to each process in the system.
2. A process ma.y have any number of synchronous or asynchronous output channels; how-
ever, no two asynchronoul output channels of a process may have the lame receiver.
Jeffay calls a design tha.t satisfies both restrictions well-formed. He also sta.tes tha.t the first
condition simplifies the analysis of RTfPC designs, the second implementation of RTfPC
systems.
Every message in an RTfPC system ultima.tely originates from an input device. Therefore,
if condition 1 does not hold, it means that a process in the desip graph is unreachable. H a
process is unreachable, its input channel rate functions cannot be solved, with the rea.ult that
it is impossible to determine analytically whether the system will obey the RTfPC paradipn.2
An unreachable process does not contribute to the system, but complicates the analysil.
Jeffay's statement about condition 2 presumably refers to the amount of buffering required.
Recall that all input channels of a process logically connect to a single input port. H condition
2 holds a process cannot send more than one message to another process during the same
execution cycle. Thi. would mean that only one message needs to be buffered per input port
jf condition 2 is met; one per input channel if condition 2 is not met.
21& ..~bIe to detenniae aaalyticaly wltetlter a .ystem will obey tile RTfPC puadism if aD Ute duad.
rate (..ctio.. C&Il be aolYed. TJU. will be diKueed ia aedio•• 3.4 ud 3.6, u well u cltapter 5.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. THE REAL·TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 22
3.3 Menage pauing semantics
JefFay'. dt!llCn method .peclftea .pecla! tempora!.emantic. for meuace PUlial. Every cllU·
nel bu one producer and one con.umer of menace.. All c:oanected pain of pl'OCellel obey
the RTfPC paradicm, which require. that whenever a JDeIAIe i. produced on .. cll..HI, it
will be consumed by the receivinc process before the next meuqe il produced OD tile tame
channel. The time interval in which a consumer may con.ume a meu&«e i. therefore defiaed
by the arrival rate of men~eson the input port of that conlumer.
3.3.1 MenaBe transmi.sion rates
Each channel in a. desip gra.ph hu an uaociated menage tran.million rate which i. defined
in terms of the worst case (shortest) inter arrival time of menages at the receivin« Procell of
the channel. If Pm'" il tbe shortest inter arrival time of meaages on a channel, itl rate i.
1
r=--,
Pm'"
where Pm,,, i. an inteser multiple of a time unit of suitable granularity.
3.3.2 Re.trictions on process construction
In order to enlure that a procell can be puanteed to obey RT/PC, JefI'ay defines a number
of restrictions on the construction of processes and data re~itoriesin implementatiou.
• Process and data repositories are implemented in a lequentiallanguage in IUch a way
that the exec.tion time of each programming construct can be statically determined.
In order to determine whether an RTfPC implementation is guaranteed to be temporally
correct, the execution COlt (tiInin«) of each process must be determined accurately.
Ideally the COlt of each construct should be automatically determinable, pouibly by
the compiler for the implementation lanp~e. As 8uch tools do not exist for most
compilers used in real systems (such as C, Modula-2, etc), one has to revert to other
tools to measure the timinKs of processes. This can be done accurately as 108« as the
implementation lanpage is sequential, and the execution of a thread is not interleaved
with other threads.
• Potentially nonterminatin« constructs, such as loops, must contain & mechanism to en-
nre termination. An unbounded loop can easily occur when & loop is used to test for &
Stellenbosch University http://scholar.sun.ac.za
CHAPTER. 3. TilE REAL·TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 23
.peeific condition in a bardw&r! device. I( the condition never occun (dUel to laudwaN
malfunction, for ~xample) the loop will not terminate. The wont cue (Ion.-t) exec..•
tion time (or a loop mutt be uaed in the aaalysi. of RTfPC .y.tem.. Aa upper bota.d
mUlt thereCore exilt on the number oC tim. aay loop may be executed. Ifa bota.d i. aot
explicit in the loop condition, a special condition i. required. One way 01 paraateei.,
a bounded loop il to increment and test a apecialloop counter, and termillate tile loop
if an upper bound is exceeded. Another method would be to IClt aad telt a timer.
• During the processing of a melA8e, a procf!U may emit only one mCllAle per UyD-
chronous channel. Thil ensures that the recei ver can be scheduled to procell the mea-
sap beCore another message il sent on the lame channel.
3.4 Calculating channel input rates
In order to determine the precise semantics of an RT fPC system one must be able to calculate
the trusmil8ion rates of all channels accurately. Synchronous channels are only used to
connect processes with data repositories. To adhere to RT/PC a process muat COD.ume
each menage it receives within ~ time units, if r il the rate of it. input port. If & procell
communicates with data repOlitories, all synchronous communications mUlt be completed.
within ~ time units as well. The rate of synchronous channels are therefore determined by
the rate of asynchronous channels.
3.4.1 Calculating message output ratea
A channel's tranamission rate is the rate at which the sendins process connected to it transmits
m~es on that channel. The transmission !'2:.te of the process depends upon the rate at
which it proceaes menages on its own input port. A trarumiNion rate function i. defiJled foI'
each asynchronous channel, which mapa the rate at which the IClnder procell receives JDeUa«eS
to the rate at which it emits mesA«es on that channel. The time required to execute the code
to process mesA&es received on itl input port, and the rate of the input port of & process
determines the transmisaion rate function of each of the output channels of the proceu.
Stellenbosch University http://scholar.sun.ac.za
CIIAPTER 3. TilE REAL·TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 24
r t:\ fer)
-~I\!J ·
Figure 5: Message transmission rate function
n
rin =l:;ri
i=l
Figure 6: Input rate definition for MP/SC processes
3.-4.2 Calculating message input rates
The input rate of a process with only one input channel is et;ual to the menage tran.million
rate of that channel. A process which receives messages on a set of input channel. i. required
to obey RTfPC on each of those channels. Messages can arrive simu1talioou.ly on any number
of the input channels of a procell. A .inKle buffer il therefore required for uch 'nput channel.
Hmeuages are buffered for input channels, the input rate ofa multi.producer/sin~coD.umer
(MP/SC) procell is equal to the agregate rate of its input channels.
The rate of a channel connecting an input device to a process is simply the worst case rate
at which the input device can produce messages.
H a desi~ pph is acyclic and well.formed, the transmission rates on all asynchronous chan-
nels C"Ul alwaylJ be calculated. These equations may be solved numerically or symbolically.
3.5 Schedullng results
bt an implementation of an RT/PC design, the RT/PC system is represented by a set of
communicating tuka3. To ensure that the implementation satisfies the temporal requirements
3To dil'aalia&e belweea & dais:. Uld ita implemeatatioa, we refer to proceNell i. & deaip pap•• ud
bPs ia ... maplaaeatatioa tuft .et.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. TllE REAL-TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 25
orthe detiln, it is neceuary to find a way to Ichedule the t ...ka in luch a way that the R.T/PC
paradipn i. preserved. Since R.TIPf"", require. that a message i. conlumed before a certain
deadline, a IchedulinK mechani.m which can Kuarantee deadlinet il required.
If a let of tuks is feasible it is possible to find a. achedulinl discipline which will enlure that
every task will always meet its deadline. In order to find an optimal scheduling discipline which
can support RTIPC systems, Jeffay examined the earliest deadline firat (EDF) acheduliDK
discipline with regard to RT fPC. The repetitive behaviour of RTIPC systems sugettl the
characterisation of an RTfPC process as a cyclic task, where a cyclic task is one that makes
repeated requests for execution.
Definition 4 A cyclic talk T is a '-tuple (s, c, p) were
1. 8 =8tart time (also called release time): the time of the first request for ezecution of T;
t. c = computational cost: the time to execute T to completion on a dedicated uniproceaor;
and
3. p =period: the interval between requests for execution of task T.
Jeffay distin~ishes between two types of cyclic task: sporadic and periodic. If a task makes
requests for execution at regular intervals it is periodic, else sporadic. These two typed of
tasks are typical of two important characterisations of real-time systems: periodic in time
driven and sporadic in event driven state machines [32].
In chapter 3 of his thesis, Jeffay proves feasibility and optimality results for the EDF schedul-
ing discipline with regard to the RTfPC paradigm. The results of his investigation can be
summarised as follows. For preemptive scheduling:
• EDF is an optimal discipline (see definition 2) if preemption is allowed at arbitrary
points in a process. If a feasible schedule exists for a task set, and every process can be
preempted at any point, the EDF discipline will correctly schedule the tasks.
• Feasibility of a task set can be determined analytically for arbitrary release times of
both sporadic and periodic tasks.
For non-preemptive scheduling:
• EDF is an optimal discipline for sporadic tasks; but
Stellenbosch University http://scholar.sun.ac.za
CllAP7'ER 3. THE REAL-TIME PRODUCER/CONSUMER (nT/PC) PARADIGM 26
• EDF is not an optimal disdpUne for periodic tasks with arbitrary release time••
• For sporadic tub, fcasibility can be determined efficiently for arbitrary releue timet;
but
• (or periodic tasks, feasi bility is dependent on knowledge ofrelcue timcs, and the problem
of determining the feasibility of a set of periodic tasks with arbitrary releue times i,
intractable.
These results will be used in chapter 4, when the design of a kernel which supports RTfPC
is considered.
3.6 Implementing RTfPC designs
The RTfPC paradigm requires that for every channel in a system, the receiver of the channel
consumes messages faster than its producer emits messages on that channel. In order to
determine whether a system is guaranteed to obey RT/PC, we have to reason about the
temporal properties of a design graph. We do this in terms of the message transmission rates
of the asynchronous channels of the design graph.
If the eet of equations which describe the message transmission rate functions of & design
graph can be solved, it means that the maximum input rate of menages on the input port
of each process is known. We know from section 3.5 that the earlieat deadline fir.! (EDF)
scheduling discipline is optimal for sporadic tasks. Therefore, given a fast enough processor,
we can always schedule the processes of the design graph with the guarantee that each pair
of connected processes will obey the RT fPC paradigm. Such a design graph is said to be
realiMlble, meaning that there exists a mapping from it to a feasible task set.
Definition 5 An implementation oj a de3ign graph i3 temporally correct iJ every pair
oj vert~a connected with an aaynchronoUIJ channel i& guaranteed to adhere to the RT/PC
paradigm.
Definition 8 A de3ign graph i& realisable on a uniproceuor if it is po38ible to implement
the deaign on G uniproceuor so that the de$ign toill be temporallJl correct.
Realisability is an absolute measure of temporal correctness. A realisable design graph can
always be implemented Kiven a fast enough processor, while a desi~ graph which is not
realisable cannot be implemented with !'Quantees of temporal correctness.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. THE REAL-TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 27
Jeffay proved &h_t th~ followins conditiQnl are neceslary and sufficient for realiaability of
detisn srapbl:
1. ACJClic, VH:1I-Jormed design graphs are realisable.
2. Design graphs with dujoin' cycle. are realisable iffat lead one channel in each cycle haa
a nonidentity transmission rate function. This will be discuued. informally in chapter 5.
Detlnition 7 Two cycle. in a de.ign graph are diajoint if no proceu appear' in bo'h
cycle•.
De8nition 8 1/ 'he trammu.ion rate function, fer), oj a channel u defined bJi ~r,
then the slope 0/ 'he trammiuion ra'e Junction i6 ~.
We can now formally define the condition for realisability of a graph with disjoint cycles
as follows:
Definition 8 Let G be a design graph with a cycle C oj n distinct proceues and cuJln-
chronoU8 channe18. Let '*, '*, ...,t be the "lope. Jor the trammiuion rate /unctiOR6
Jor the channe18 in C. If C i6 disjoint from other cJlclelf in the graph, then the tnu18mi6-
6ion rate junctioR6 Jor the channe18 in 0 can be 60llled iff
3. Design graphs with non-d~joint cycle.; are realisable only if the following two conditions
are met:
(a) At least one channel in each cycle has a nonidentity transmission rate function.
(b) There must exist a process or sequence of processes in one of the cycles in a non-
disjoint set of cycles, in which at least three messages must be sent to the first
process in the sequence before a message can be emitted from the last process in
the sequence. Formally:
Definition 10 A .imple cycle in a design graph i& a cycle in which all venicu
a~ di6joint.
Definition 11 Let G be a de. graph tDith non-dUjoint Cllclu. Let C 1 aM C2 6e
two non-dUjoint, aimple cyclu. Assume that C. and C2 contain n and m pJ'OCU.6U
rupectiuel,. Ifprocusu in 0 1 are interconnected with channels v;ho6e tronmawion
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 3. THE REAL-TIME PRODUCER/CONSUMER (RT/PC) PARADIGM 28
nate P.ndio.... hatle Ilope, fi,:;, ...,t;, and procel«, in C2 are inlert:tJflll«UfI
1Dith channel. wlaOK trarumiuion rate "'ndio.... Mve IJope. -4i, 'li, .·., t=, tMn
'he lra....miNion rate junclionl!or the channel. in C. and C2 can be IOltlell onlr il
" '"(II Zi - 1)(II lIj - 1) > 1
.-1 j-J
We do not have sufficient conditions for when the transmillion ra.te functiou can
be solved for arbitrary patterns of non-disjoint eyda. However, if each pair of
simple cycles haa at mOlt a lingle process that receive. meslages from a di.tinct
proceu in each cycle, then the necessary condition given above i. also sufficient for
solving the transmission rate functions.
RealiHbilit,analysis is called proceuor independent analysis because a. realisable delip sraph
can alwa.ys be implemented on a fast enough uniprocessor. Temporol cofT't'.ctnea is a meaaure
of the correctness of an implementation of a design graph. The following chapters describe
an experiment to investigate how realisable RT fPC design graphs can be implemented to be
temporally correct.
Stellenbosch University http://scholar.sun.ac.za
Chapter 4
The ESE Kernel
In chapter 3 we discussed Jeffay's method of developing real-time systems with guaranteed
temporal beha.viour. He showed that his RT/PCI paradigm can be used to design systems
with hard real-time constraints in such a way that all deadlines can be guaranteed. He also
showed tha.t RTfPC is realisable by developing a kernel which supports RTfPC design graphs,
and by implementing a number of systems with hard real-time constraints on it [28].
Jeffay's system runs on the UNIX operating system on a Sun workstation, and interacts
with devices at a very high level. I propose that RTfPC is also suitable for the design and
implementation ofgeneral embedded reactive systems. In order to investigate this, I developed
a nontrivial example on an industrial embedded platform. In chapter 5 we shall examine the
implementation of the case study. To support RT fPC systems on an embedded platform I
developed a kernel, called Embedded SY6tem6 Executive (ESE - pronounced "easy"), whica
runs on Intel SOx86 based hardware platforms. In this chapter we shall examine the design
of this kernel.
4.1 Embedded Reactive Systems
Embedded systems are usually reactive. A reactive system is idle until an event occurs in its
environment. The system performs certain actions in response to the event, and then awaits
the next event. A state machine can be used to determine the reactive system's response to
a particular event, given the current state of the system. The action taken by the reactive
system in response to an event can change the state of the oystem. We can define a reactive
I Re~TUDe Prodacer/Co...mer
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TllE ESE KERNEL
State
Machine
30
Input
Events
Output
system as follows:
Figure 7: Reactive system
Definition 12 A reactive system i8 an event driven state machine.
Figure 7 shows the components of a. reactive system. Input events are generated by devices
in the environment of the system. The driver process receives the events, and executes the
state machine. The execution of the state machine typically causes output to be generated.
The output may be control signals to a device, data written to a persistent data store, or
messages sent to other processes in the system.
An embedded $1I$tem is an autonomous component of a larger system. It can run on an
autonomous hardware platform embedded in the hardware of the larger system. Examples of
such systems are intelligent communications adapters, disk subsystems, etc.
Autonomous stand-alone systems often suffer the same problems as the embedded systems:
hard real-time constraints, limited CPU, RAM and other resources, etc. Examples of such
systems are robots with autonomous control systems.
A software system can also be embedded within a larger software system - in other words,
run on the s;.me hardware platform of the larger system. Examples of such systems are
real-time syf'tems which are embedded in general purpose operating systems.
Th~ main characteristics of embedded systems lU'e:
• Devices introduce concurrency - embedded systems usually interact with several au-
tonomous devices. These devices introduce concurrency which is best modeled as a
system of communicating processes.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 31
• Device. have real-time requirement. - device. utliually have to be lerviced within .ped-
fied temporal limit., otherwiae information i.la.t. Many problem. in embedded .y.tf!m.
are timine related: .. milled event beeaule the .y.tem wu encased in another action,
an overflowed buffer because .. mellar;e consumer wu too slow, etc.
• Reactive systemi - an event dri veil reactive system can be modeled very conveniently u
a system of communicating state machines. This requires inter process communication
and the guarantee of atomicity of state machine commands.
Because of their "black box" nature, embedded systems can often be tested only in
terms of their response to events from their actual environment. Certain lequencel of
events may be timing dependent, and very difficult to reproduce. It can thererore be
very hard to find errors in embedded w-I,stems.
• Memory and CPU requirements axe usually tight in embedded systems, and re.ource.
have to be used optimally.
Conventional multi tasking operating systems do not adequately address the problems of
embedded systems. The memory requirements of a general purpose operating system (UNIX,
for example) is usually prohibitive, and the processing overhead it introduces, unacceptable.
Furthermore, the process scheduling policy of general purpose operating systems i. usually
a variant of time sliced round robin scheduling with multiple levels of priority. This has the
following implications:
• Real-time ronstraints cannot be guaranteed;
• Priority levels must be tailored to accommodate processes with higher proceuin~ re-
quiremIJnts;
• The order in which processes (which communicate via asynchronous message pasainr;)
will be scheduled may be unpredictable. Inter process message buffers must therefore
provide for the worst case of outstanding messages.
The ESE kernel is desiped to meet the requirements of embedded reactive systems which
are desi!Oed 3Ccordin~ to RTfPC. I assume that the number of prOCe&iieii and channels in
an embedded .ystem is fixed, and new channels or processes cannot be dynamically created
durin! the lifetime of the system. Jeffay's methodology can therefore be used t(\ analyse the
system, and to determine a priori whether all deadlines can always be ~ara.nteed.
Other principles which influenced desip decisions were the followin~:
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 32
• Portability - different proceuora are oCten u-oo Cor embedded .y.tem•. ESE .hould be
portable &CrOll different uchitecturea with the minimum of effort;
• State machine. - A atate machine il a very luitable formalilm Cor the deICription of
reactive systems. ESE must be suitable for the implementation of atate machias.
The rest of this chapter describes how ESE supports RTfPC and the requirements of embed·
ded reactive systems.
4.2 Events
Events are fundamental to most models of concurrent systems. In CSP [25], for example, a
process is defined entirely in terms of the possible sequences ofevents which may occur duriD~
its execution. A state machine is defined in terms of the state transitions which it makes in
response to the occurrence of events. We define an even~ 3S follows:
Definition 13 An event is an atomic occurrence. It may cause a state machine to perform
an action, or it mar generate input to a proceu.
The granularity of an event is determined by the level of abstraction at which a procca
obAerves it. Consider the following example:
A transport layer protocol sends a data unit to a. remote destination. Because the
data unit is larger than the maximum network layer datagam size, the network
layer protocol fragments the transport layer data unit into two network la.yer
data units. These fr~ents are received by the destination, reassembled by the
network layer protocol and passed to the transport layer protocol.
Let us now examine the sequence of events which describes the arrival of the data at its
destination. Our first vantage point is at the link l:;l.yer. We 8ee a sequence of events !enerated
by the physicaJ.layer, representinr; the arrival of the data:
Li1lkLa,erFrameArrival =
Openi1lgFIag -4 DataByte - .•• - Data-Byte --. eRC - CI03ingFlag-
OpeningFlag - DataByte - ..• - DataBrte - Ce.C - Clo3ingFlag.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 33
The link layer passes the data encaplulated in the link layer frames to the network layer. The
eventl Jeen by the network layer are:
N dworkLarerDatagramArrival =
FragmentlArrive.. -. Fragment2ArriveLJ.
The network layer reassembles the tran.port layer data unit encapsulated. in the two network
layer datagrams, and passes it to the transport layer. The event seen at the transport layer
is:
Tran..portLa'llerDataUnitArrival =DataUnitArrives.
The previous example shows that an event at a higher level of abstraction is the result of a
process at a lower level. What is atomic at one level is structured at another.
Physical events occur in the environment of RTfPC systems - for example:
• a message arrives on a data communications physical medium;
• a quantity measured by a sensor reaches a predefined threshold;
• a timer expires; or
• an operator issues a command.
An event could manifest itself to an RT/PC system in various ways. It could be in the
form of an interrupt; the raising of a condition which is polled; or an incoming mesA«e on
a communication link (for instance a transputer link). A physical event causes an RT/PC
input device to send a me~e to an RTfPC process. The process performs certain actions
in response to the meu~e, and may send messages to other processes and output devkes.
An RTfPC Iystem il therefore a reactive system - it reacts to input from the devices which
cOilstitute its environment, and controls devices in the environment by sending meaA«e6 to
them. All actions are taken directly or indirectly in response to events (in the form ofm~es
from input devius).
The view that RTfPC IYltems are event driven reactive systems, has been the !Uidi~prin-
ciple in the desip of the ESE kernel.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TilE ESE KERNEL
4.3 Preemptive and Non-preemptive Scheduling
34
Jeffay proved that a realisable RTIPC dClisn can be scheduled either preemptively or non·
preemptively, and Itill be guaranteed to meet all itt deadline.. As long u the earlie.' tlu.Jline
fir" (EDF) scheduling policy is adhered to, the choice of preemptive and non*preemptive
scheduling is not determined by RTIPC. The choice must be made on implementation and
other requirements.
The choice of scheduling policy for ESE was made on the design principles stated previ-
ously. The guiding principle is that ESE is intended for embedded reactive systems, designed
according to RTIPC. The requirements for ESE's scheduling policy are:
• it must be capable of supporting RTjPC;
• due to real-time requirements and limited resources, it must be as efficient as po6sible;
and
• it must support state machines.
4.3.1 Support for RT/PC
We know already that both preemptive and non-preemptive EDF scheduling will support
RTIPC. An important RTfPC requirement which impacts the choice of schedulins policy
is mutual exclusion. Both explicitly defined mutual exclusion regions and data repositories
require kemel support for mutual exclusion. If the schedulins policy is preemptive, the kemel
must implement primitives to ensure that mutual exclusion is maintained in the critical sec-
tions of mutual exclusion regions and data repositories. A non-preemptive scheduling policy,
on the other hand, implies that all threads always run to completion. This means that mutual
exclusion is guaranteed in critical sections by the scheduling policy, and no special primit.ives
are requir~ for its implementation.
4.3.2 Scheduling efficiency
The efficiency of preemptive and non-preemptive EDF scheduling can be compared in terms
of their respective memory requirements and context switching overhead.
A preemptive schedulinr; policy requires that the complete context of each process must be
maintained !~parately. In the implementation of ESE this would imply a separate stack for
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TilE ESE KERNEL
each proeeu, and that all prOCe&80r resi6tera mUlt be laved when a procen i. preempted.
35
IC the ac:hedulinS policy i. non-preemptive it i. pouible to run all proceIIN on the u.me
atack. The amount of memory laved in thi. way can be .ilDificant in an embedded .,.tem. If
sporadic processes are scheduled non-preemptively, it i. pouible to implement tbe ac:heduler
in luch a way that no context haa to be laved during a context Iwitch. Thi. mak. DOD-
preemptive scheduling more efficient than preemptive Ichedulinl, in term. of both memory
usa«e and context switching overheaJ.
oC.3.3 Support for state machines
For a state machine to be deterministic, its actions must be atomic. If it i. pouible for ,.
state machine action to be interrupted by any other action which may change the machine
state, the result of the state machine's actions will Dot be deterministic.
A preemptive scheduling policy makes it possible for a state machine action to be preempted
and for another, which may change the system state, to be 8chedl1led. Atomicity of atate
machine actions must therefore be ensured by the programmer, if preemptive ac:heduling i.
used.
A nor-preemptive scheduling policy ensures that state machine action. will alwa.ys run to
cJmpletion before fUlother process is scheduled. There is therefore no requirement for the
progammer to ensure the atomicity of sta.te machine a.ction•. A whole class of errors, which
ma.y be introduced by the inherent concurrency of mOISt reactive systems, is therefore elimi-
nated by the scheduling policy. The importance of this safety becomes even pater when the
reactive system is embedded in an environment wherp. debuwns is difficult.
4.3.4 Design decision
Non-preemptive EDF scheduling was implemented for ESE for the followin! reasons:
• non-preemptive EDF scheduling supports RTfPC;
• non-preemptive scheduling is more efficient than preemptive scheduling in terms ofboth
memory required and context switching overhead; and
• nm--preemptive scheduling ensures mutual exclusion and the atomicity of state ma-
chine actions implicitly, thus relievins the progammer of the onus of ensurioK mutual
exdulion.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
4.4 Periodic V!l Sporadic Processes
The decision to make lupport for reactive systeml & delip principle hu an important ,.ult:
pr«eue. in a reactive .,.tcm are G1VXJI/. qoradic. Thi. i. due to our definition of reactive
IYltems - the system is idle until an event eaulet it to perform & .tate machine action. A
periodic process can be supported in &. reactive system by defining a periodic timer event
which causes a sporadic process to be executed periodically.
If processes are scheduled non-preemptively, it becomes unnecessary to execute each proceu
exclusively on its own atack. But in order for all prOCeHel to run on one .tack, the activation
record of the current process must be removed from the atack before the next proceu can be
activated. This implies that the releue of a ready procesl il equivalent to a procedure call,
and that the procells must return from that procedure on comp!etion. Processes which loop
forever cannot be supported because they will never be descheduled.
Because ESE's processes are sporadic and scheduled non-preemptivel}", processes are pre-
dictable (deterministic) in both their logical and temporal behaviour. Each process haa a
sin&Je entry point, and always runs to completion. A process is scheduled only in responle
to the occurrence of an event, and will branch deterministically in responJe to the event. No
other process can interrupt an executins process and modify the .tate of the sy,tern. The
predictability ofESE processes makes systematic testing pouible, and the real-time behaviour
of a process can be measured accurately for each possible event.
ESE's non-preemptable sporadic processes are suitable for the implementation of IYltelU of
connected atate machines. Each state machine is implemented as & process. It receives its
events in the form of messages from other processest and ita output may be the input events
to other atate machine processes. An example of 8uch & system is a protocol stack. Each
protocol layer is & state machine which may be encapsulated in & process. Each layer receives
m~es from, and sends output messages to its next higher and lower neipbouring layen.
PIlOCEDURE
YAIl
..,
"e-.iz•
..s_·re
BEGI.
ESE.Ilac:.i....
e-I,
AProc••• () i
POlITER TO R•••-S.Type i
CAIDIIAL :
ESE.U••rRef
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
_I.ala.,
-I.·rc) :
CASE "I_.rc or
SOURCE.' :
Proc•••ASourc.AM•••ac. (".t UI••iz.)
SOURCE.B :
Proc•••ASourcaBII•••aca e-.t ul••ize)
DD
DO !Proc... :
37
APro«.., above, is an example of a skeleton of an ESE process. The procell entry point
is always at the start of the body of the procedure which implement. it. The lUtW!iue call
does not block, and will not deschedule the process. Each process may call Receive only once
between its entry point and termination, and a ready proceu will be acheduled eVen if it dON
not call Receive. The only ."ay in which & process can acquire the meuqe for which it il
scheduled, i. by ullin! RetW!ive, therefore it is usually the firat operation in the thread of a
procell. Receive allO returns the user reference of the active channel (for which the current
process wu scheduled). AProceH can receive menages from two channels, and URI the Uler
reference of the active channel to branch to the routine which is uled to Procell .. meuap
for that channel. There is no restriction on the number of input channels to .. proceu.
For every process in an RTfPC system, ESE stores a process record which containl .. Iymbolic
name for the process, as well as lL reference to the procedure which implements it.
Proc.....cord • RECORD
thread
EID ;
.... ;
: Thread
Name is an AScn strin!, and ."ill be described in appendix A. TJareml i ... procedure type
which contains the entry point for .. process.
ThrMcl • PIlOCEDUPE () ;
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TllE ESE KERNEL
4.5 Data Repositories and Synchronous Message Passing
38
Jeffay" data repolitoriea encaplulate perliatent data which are Ihared between proc:ellel.
In order to ensure the inte«rity of the data, a d:-.ta repolitory i. acceued only via a .inp
synchronous mess~e pusin! port. A data repository never emits uyncbronou. mella8et,
but only replies to requests. In this way access to the data repository is serialiled.
Since ESE procesaes are scheduled non~preemptively, accen to persj,tent shared data i. Ie-
riaUsed by the scheduler. It is therefore not necessary to implement a synchronous melA!e
puainS channel to data repositories. The synchronous accen to a data repository deseneratet
to a. procedure call.
4.6 Synchronous vs Asynchronous Channels
The purpose of the ESE kernel is to support systems designed according to the RTfPC
method. All RTfPC systems are reactive, a.nd messages flow from input devices through
proceues to output devices. Unlike client-server systems there is therefore no synchronous
meuace flow back to the source of a menage, except in the case of data repositories. We have
already teen that ESE's non-preemptive scheduling policy and sporadic proceuel make kernel
support for data repolitories unneceuary. We therefore need only asynchronoul channels to
support RT/PC.
ESE is aIao required to support state machine implementations of reactive systems. A state
machine implemented on ESE will receive its input events in the form ofmeBSa!e5 on channels,
and both synchronous and asynchronous message pusing could be used to send an event
meaaa&e to a state machine. However, a state machine does not always send the output,
generated in response to an event, back to the source of the event. Instead, the output
usually goes to a device controller or another state machine. In neither case is there any
synchronous message flow back to the source of an event.
When two processes communicate on a synchronous channel, the sender is preempted while
the receiver COllsumes them~e,and remains blocked until the receiver replies. This would
require preemptive scheduling and therefore a separate stack would have to be maintained
for eack process to store its contex:t when preempted.
All ESE mesaa«e pUling channels are implemented in the memory of a single proceuor.
Ch&DJlm ue therefore hishlY relia.ble, and it il unnecessary to acknowledge the deliftry of a
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 39
meuace. Alynchronoul channel. are luitable to convey the eventl and me"IoIM which low
in RT/PC ay.tema. They can be implemented very efficiently and allow & ICheduler imp&.
mentation which executes all procellel on the .ame atack. Given our dMigD principle that
ESE must support embedded RTfPC systeml, only uynchronoua menace pUling chaonelt
were implemented in ESE because of the gain in pracening efficiency and memory ulICe.
For each asynchronous channel in a system, ESE maintains a channel record with the followinl
..
.
AaJDc
Chann.la.cord • RECORD
nu. I... ;
u••r_r.f CAROllAL
r.c.iy.r Proc•••
• end.r Proc•••
p.riod
d.adlin.
....ag.
1UZ_••••ag._.iz.
DD ;
Tia. ;
Tia. ;
M•••ag. ;
CAROllAL ;
The u8er_re/ is a number chosen by the programmer to represent that channel. ESE will
use the user reference to identify the channel to the receiving process when it is scheduled.
ESE'. uynchronous channels identify both their under and receiver pl'OCe8le8. The receiver
process identification is used by the scheduler to activate the receiver process, and the .cnder
identification is used by the ESE Send command to check that each channel connects only
two processes (as required by RTfPC). The period is ltored to compute a deadline when &
mesaar;e is sent on the channel. When a message is sent on a channel it is stored in a field
called meQlJge, and maz_meuage..8ize is used to check that it is not lager than the buffer of
the channel.
The types, PfYK%U, Time and Meuage are described in appendix A.
4.7 Mutual Exclusion Regions
Some processes which share data have critical code sections in which each process must be
Ulured of exclu.ive acceu to the .hared data. H not, the critical section may be executed
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 40
incorrectly. RTfPC allows the .pedfication of mutual ezclu,ion regiolV to en.ure the "riali-
.ation of critical accesaes.
ESE's non-preemptive scheduling policy implicitly serialisel the execution of all proc:eNel,
and no s~ial kernel support for mutual exclusion regions ill therefore required.
4.8 Interrupts and Events
ESE (and RT/PC) systems are driven by messages flowing in channels. A procell will be
scheduled only if it has a message pending on an input channel, and every meuase in an
RT/PC system can be traced back to the occurrence of an event in the environment. Envi-
ronmental events usually manifest themselves as interrupts. For each type of interrupt there
is an interrupt handler which must convert the information conveyed by the interrupt into a
message, 110 that it can be processed by a process which manages the interruptins device.
For an interrupt handler to be able to send a message to its device driver process each time it
receives an interrupt, the shortest interval between any two consecutive interrupts of that type
must be longer than the time required to send a message, schedule its receiver and proceu
the message. Interrupts often occur in bursts which exceed the rate at which the receivins
device driver processes can be scheduled. When this occurs in an RTfPC gaph, the dMip
is not realisable. In practice, however, there is usually a known upper bound on the lenph
of a burst of an interrupt.
Consider, for example, the device driver process of a communication. device which provide.
a. physical layer service to a link layer protocol2• The shortest possible inter frame delay
can occur when any frame is followed immediately by an information frame with ODly one
data byte. An information frame with one data byte consitts at the phylicaJ. frame level of
7 bytes, composed as depicted in figure 8. The worst cue interrupt behaviour (a.umins a
connection with no idle time) is therefore a frame followed &even byte transfer intervals later
by an information frame. At a transmiuion rate of 64000 bits/. this tranalates to aD inter
frame period of 875ps. In the case study described in chapter 5 an X.25 protocol stack is
implemented on an Intel 80188 proceuor runnin,; at 10MHz. On this platform the system
would be hard preued to service a sustained burst of ahort frames, if scheduled strictly
accmdin,; to the semantics of RTfPC.
2nu. ezuaple __ &1Ie &ue fonIat of tlte balaac:ed liak ae:ee- pmced_re prolocol (LAPS) of CCIIT'.
X.25 pro&ocoI.lack.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TilE ESE KERNEL
openms address control data eRe CRe IC10ilOS
ftl.« byte byte byte byte byte ftac
Figure 8: Information frame format
,.--------------,
41
ENVIRONMENT
interrupting
device
:RT/PC
I input
I device
I
I
SYSTEM
device driverprocels
L -'
Figure 9: Fast Interrupting Device: Unrealisable System
H the link layer protocol implements a reliable service with window flow control, we know
that a sustained burst of frames cannot be longer than the available window size. We abo
know that another bUIst will not be received until some of the received informa.tion frames
have been acknowledged. This means that incoming frames can be buffered, and because the
upper bound on the length of a burst is known, the receive buffer can be made large enough
so that no incoming frame is ever l06t due to buffer overflow.
When the length of an interrupt burst is bounded as described above, the interrupt handler
can buffer messages from input devices, and release them into the system at a rate at which
the desip is realisable. In effect the boundary between the system and its environment i.
shifted. Instead of the physical device determining the rate of the input device, the input
from the physical device is buffered. The rate at which messages are released into the system
i. determined by the buffer, which is logically a part of the environment.
Fipre 9 shows a system with a device which generates interrupts too fast for the system
to be realisable. Figure 10 shows the same system, with an interrupt buffering mechanism
which releases events into the system at a realisable rate. The figure shows how the interrupt
bu1f'ering mechanism becomes logically part of the environment rather than the sy.tem.
In LSE an interrupt handler sipala the occurrence ofan interrupt on an input port, which is an
uyuchronoua channel which does not convey data - only the fact that an event has occurred.
An input port count. the number of sipall it receives and ita receiving process is scheduled
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
r- - - - - - - - - - - - - - - ~ - - - - - - - - - - - - - - -,
42
ENVIRONMENT
RT/PC
input
device
SYSTEM
interrupting I----::JO--r---I.II----...r
device
device driverprocess
...... .....J..- I
Figure 10: Fast Interrupting Device: Realisable System
once for every signal received. Each input port is assigned a period, and its receivins procell
is scheduled according to the same EDF policy which applies to asynchronous channel..
InputPortR.cord ~ RECORD
naa. 1..8 ;
u.er_ref CAROIIAL
r.c.i....r Proc... ;
period Tiae ;
1•••1 CARDIIAL
d.adlin. Tia. ;
DD ;
Each time that an interrupt handler signals on an input port, the level of the port ia incre-
mented. Each time that the receiving process of the input port is scheduled, the level of the
port i. decremented. The receiving process of an input port is ready when the level of the
port is nOD.-n~ative (level ~ 0). A deadline is calculated for an input port when it receives
& aipal while its level is zero, or when its receiving process is Kheduled and the new level is
still DODZero.
The period of an input port haa the following scheduling implications:
• ifthe level ofan input port ia positive, and no other input porta or uyncluonou claaaae1l
are ready, then the receiving praceu of the input port will be Kheduled immediately;
• if aaotlaer ur-chronoua channel or input port haa aa earlier deadline, tile JeceiYiIIg
prace. of & ready input port will be scheduled no later than ita dNdliae; aad
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 43
• if Rveral occurrence. of a.n interrupt hl.ve been buffered, the receivins proc.eN of the
input port will be scheduled once for each level of the port, and the delay between each
releue of the receivins proce•• will be no creater than the period of the input port.
The period ofan input port theref'lre determines the minimum Irequt~1Jat which itt receivia,
process will be scheduled. If the system is not heavily loaded, and there are no other clauDeJa
with earlier deadlines, the receiver will be scheduled faster than the minimum frequency.
A system ma.y recognise other events than just interrupts. If a process haa &n event to aipal
to another process, it may do so by sending a message to the other procell. Such a meIHIe
would not contain any data, since it merely indicates that &n event had occurred. The .ipal
command of ESE can be easily generalised to support another kind of port: one which one
process uses to signal to another process (rather than an interrupt handle: to ~ device driver).
ESE therefore supports two port types: an input port for interrupt haudler,;, and a general
port for processes.
A general port identifies its signaling process as well as its receiving process. The signal
command checks whether the current signaling process is the declared signaling procell of the
port. This guarantees that ports, like asynchronous channel., are unidirectional connections
between only two processes. An input port is logically a connection between a physical device
and & process, and because interrupt handlers are not activated by the scheduler, the identity
of the signaling process cannot be checked for input ports.
4.9 Timers
Many reactive systems require timers to implement periodic processes, to verify the comple-
tion of tasks, or to check that certain events occur within a. specified interval. ESE lupporta
timen which can be set to expire after a. specified interval, after which it lend. & meuase
to & process on an aaynchronous channel. A880Ciated with each timer il & uer referen«, a
c1uJnnel to send notification of expiry on, and a deadline.
T:iaer"cord
uaer_ref
notification_channel
deadline
lID :
• RECORD
CARDIJAL
'.pcChaDDel :
TiM ;
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
A-rncClaannel :dentifics &Il asynchronoul channel in ESE'. channel table. It will be delCribeci
in IeCtion A.
When a timer it .tuted, ESE calculatel it. deadline bued on the current .,.tem time aDd
the period .pecified in the requelt to .tart the timer. A Ilpedal Procell il periodically IChed-
uled to check whether any timers have expired. If the current Iyltem time il later til.. &
timer's deadline, the timer is stopped and a notification sent on its notification channel. The
notification consists of a message which contains the user reference which wu lpecified when
the timer wu set.
4.10 Implementation of Scheduling
To the acheduler there is no difference between an asynchronous channel and a port. Both have
a name, uler reference~receiver, period and deadline. For the rest of this section asynchronous
channell and ports will both be referred to as channels, except where it is neceuary to
diatinpi•., between the two. "Channel" should be read as "channel (or port)" , and "meJla!e"
.hould be read &I "meuap (or signal)".
Proc•••
·f
: II.....
·•
: CARDIIAL .f
. CAllDIIAL .. f
• RECORD
.... j
CARDIIAL
Proc•••
·•
Tia. .f
Tille
Chann.lTJP. OF
......
au.....·ac·_·iz•
llPUT_P01T
1•••1
ChaDD.lllecord
period
deadline
CASK chann.l_tJP.
1SUC_CHAJIEL
....d.r
DO
aD ;
ESE mamtaiu & table of channels for achedulinl P1II'J)OIe8:
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 45
chum.l.tabl.
channel.
Do.of.channel.
DO ;
RlCORD
"MAY [0••1Il1.CHAllELS·1] or Chumela-cord ;
CARDIIAL ;
Because ESE processes are sporadic, a. process will only be scheduled when there i. a meuap
for it to process - procesBeI are not scheduled periodically. Jefl'ay showed that all meI.apt
in a feuible RT/PC design will alway. be processed beCore their deadlinet, if their receiviDI
processes are scheduled according to the earliest deadline first (EDF) polley. Becaule dead~
lines are associated with menaces, a process is scheduled to proceu & meIAIe OD a specific
channel: the one with the earliest deadline - the process cannot decide which channel to
accept a message from. In contrast. a process in a general purpose operatinK sy.tem can be
scheduled whenever it is not blocked on a specific communication command, and can uually
determine which message to process first. When no channel bas a pendinK meuace, the ESE
idle proeea is scheduled. The idle process is also a sporadic process and runs to completion
like all ESE processes. The Select procedure of the ESE scheduler determines which process
to activate next.
PROCEDURE
YO
nut.channel
BEGII
LOOP
: ChannelInd.x
S.lect (next.channel) ;
a.l.... (n.xt_channel.r.c.iyer)
EJD
£II') Scheduler ;
Beca.ule of the policy of scheduling according to deadlines associa.ted with channels, ESE dOM
not maintain a ready queue of processes. Instead, channels are sorted in increuill& order of
deadlinet. When the scheduler i. executed, the channel with the earliest deadline is found ill
the channel table. It contains a reference to its receiving proceu, where the scheduler caD find
its entry point to schedule. The scheduler will always schedule the receivin!: Procell of the
clum.nel with the earliest deadline, and tha.t proceu will not be preempted. All proceAell ruJl
to completion, and after initially schedulin& the first process, the scheduler is only invoked.
every time a process completes execution.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 46
A deadline il calculated for a channel when a meilAle ill lent on that channel. The deadliae
i. equal to the current .y.tem time plu. the period of tbe cbannel. A channel'. deadline i.
therefore the earliest time at which another mellAle can be lent on it. The receiviDI proceM
of a ready channel mUlit be scheduled before it. deadline to proceu the current meuap,
otherwise mesaage collision will occur.
Schedulinl the next process involves finding the channel with the earliest de.adline, and calliDI
the thread ofits receiving process. To find the channel with the earliest deadline, the chanllet.
muat be ordered by their deadlinca. The channel ready queue can be IOrted when one of the
followinl events occurs:
1. When a meuage i8 5ent on a channel. A list of channels with pending meuaset mUlt
be maintained and ordered by deadline. When a. message is sent on a c.hannel a deadline
is calculated for the channel, and it is inserted into the correct position in the ordered
list.
• If the ordered ready queue of channels is implemented as a. linked list, the com-
plexity of the insertion of a channel into the queue is of order D(n), where n is the
number of channels.
• If the ordered ready queue of channel. i. implemented &I a randomly acceuible
queue, a binary search can be used to find the position for a new channel. The
complexity of a binary search is of order 0(109 n), where n is the number of
channda. In order to insert a new element into the queue, its existin~ element.
must be moved in time proportional to n.
In both cases, sending a message introduces an unpredictable delay with a known "pper
601100 into the execution time of a sending process.
2. When the c~rrentproceu complete. execution, and the «heduler .elect. the nezt proce$6.
In this cue no ordered queue need. to be kept if all channels are examined durinl the
lChedulinS to determine the one with the earliest deadliJae. This incurs a con.tant 0(71)
overhead on the cost ofachedulins, and the ordering of the ready channels haa no impact
on the execution time of a process sending process.
AI both the approaches described above have a know worst case behaviour, either caD be
uled in the implementation of the EDF achedulins policy. ESE employs the second approach
for the folJowiDS reasons:
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL 47
• No ready queue (or channeIJ i. required. Thi••implifie. the implementation, aad I&YeI
data and code .pace. No dynamic data .trudur. (pointen) v, reqwred for tlte $C1aed-
uler, raiunl coafidence in the reliability of the ICheduler.
• A simple iterative routine finds the earlieet deadline. The COlt of this operatioa iI
constant for a ~ven number of channels, and can be determined accurately.
• No unpredictable dela.y is incurred by BOrtin! the channel ready queue when a procell
sends a meuase on a channel. The execution time o( a. procell can be predicated
accurately.
The fint channel in the channel table is initialised as the input channel to the idle procell.
All channels receive an initial deadline of MAX (Time).
WITH chaDDel_~able.channel. [0] DO
D_ : - 'Idle Proce.. Input Channel) ;
u.w_re:r :- IDLE_PROC_CHADEL
receiYW : - idle_proce.. ;
deadline :- lUX (TiM) ;
EID ;
chaDDel_~able.Do_of_channel. :- 1
Selectllelecta the fint channel with the earliest deadline (more than one channel ma.y .hare the
earliest deadline) &8 the next chp.nnel. A ready channel will have a deadline of less thall MAX
(Time). H no channel i. ready Select will default to the input channel of the idle proc:ea.
c
Selec~
ChannelIndez) ;
ChannelIndex ;
BEGIJI
Dext_chaDDel :- 0 ; ,* Input channel to idle proce.. *) ;
c :- 1 •
VIlLE c < chaDDel_table •no_of _channel. DO
IF
<!bannel_table.chaDDel. [c].deadline <
cbannel_1:able.chunel. [next_chunel] .deadline
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
THO
next.channel :- c
110
lie (c)
DO ;
chunel_'table.channela [next_channel] •deadline :- MAX (TiM)
EID Select ;
4.10.1 System clock granularity
48
ESE requires a hardware clock to determine deadlines accurately. H the system clock SfUU-
larity is much coarser than the period ofinput events, more than one process may be scheduled
between two clock ticks. When this happens, the deadlines of channels cannot be determined
accurately, and the deadline of a channel may be set earlier than it should be.
Fipre 11 shows a system where such a problem can occur. It shows three channels, each
with the ADle period, and with the same execution cost for each receiving process. The
system clock Ifanularity is five times the execution time of the receiving processes. The
period between events that occur in a burst can be much smaller than the timer panularity.
For this reuon meua&es on the input channels of processes 1, 2 and 3, which occur in the
same interval between two system clock ticks, will receive the same deadline.
H a number of ready channels share the earliest deadline ESE's scheduler will alway. select
the first one it encounters. If the clock panularity is coarse enou~, two successive mesA!es
on the same channel can receive the l&Dle deadline. The scheduler may then repeatedly Ie1ect
& channel with & low channel number even though there is & channel with a hisher ch&llJlel
number, and the same deadline.
In fiSUre 11 three chunet. share a common release time, and therefore a common deadline.
The blackeDed circles ahow the release times of the chunet. (in real time) and the unblackeaed
cirelee .bow the deadline of each channel (in .ystem time). The filled boxes OIl the ready
intervala of' the channels indicate the period for which the receivinK proceaa of tha.t chaanel
waa lclaeduJed tc proceu the pendillK meAa!e. The fiKUre showl hCJW proceu 3 will Dot be
acJaeduled before the deadline of ita input port, becaUIe proceuea 1 and 2 were repeatedly
Iclaeduled before it.
From the example it .hould be clear that a system clock uanularity, ofat moat the miaimum
period of tH molt freqaent event, i. required to ensure that the deadline achedulin& policy
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TllE ESE KERNEL 49
i. correctly applied. The provi,ion of luch a Cut clock can however place .. heavy iaterrupt
handlins overhead on the 'yltem, or may be phy.ically impouible in lOme .y.telDJ. For
example:
Th.:: ESE dock gra.nularity il configurable, but for the platform uled in the cue
study in chapter 5 it defaults to a 50m& tick. Systems implemented on ESE on
that platform have however had bounded burst signal periods of down to around
5OOp8. A timer tick of 500ps would ha.ve placed an intolerable interrupt handlins
burden on the system.
One solution to the problem is to keep an ordered deadline queue, and alwa.ys insert .. new
channel immediately before the next later deadline. This would ensure a temporal orderin!
on channels with the same deadline, but would incur more overhead in finding the correct
position for & new channel in the queue. An even more serious problem is the inaccuracy of
the clock, and the fact that channels which receive the same deadline in this scheme may not
have had the same deadline had the clock granularity been finer.
The ESE scheduler addresses the problem by artificially inserting fine grain clock ticks into the
clock, thereby providing a finer grain clock. A deadline is calculated each time a meuase or
signal is sent on a channel or port, 80 ideally message events must occur at different in.tances
of the .y.tem clock. In ESE the system clock is therefore incremented by a fixed amount ea.ch
time a mess:1.gt! is sent, or a port is sign&Jed. This has the effect of insertins fine Slain clock
ticks. The system clock drift caused by the inserted ticks is controlled in two way.:
1. The amount by which the clock is incremented with each communication event is chosen
80 that the sum of such increments will not exceed the length of one ESE timer tick
interval in one such interval. This can be accurately determined because the rates of all
channels are known.
2. At each hardware clock tick the clock is incremented to one tick interval later than the
previous hardware clock tick. The effect of the inserted fine grain c1ocl( increment is
therefore cancelled at each clock tick, and the ESE clock remains &I accurate as the
hardware timer which provides the tick.
Althoap the ESE clock will never be accurate at the fine Slain, it i1SUaranteed not to drift
&om tlae laudware timer. If the COIl.tant with which the clock i. incremented with each
communication operation i. choeen carefully, the behaviour of the clock i' accurate enousla
to euure conect schedulio!.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
Figure 11: Scheduling with course clock ticks
50
Figure 12 shows the same events as the previous figure scheduled with inserted clock ticks.
All deadlines are now met.
4.11 Performance of ESE
To measure the efficiency of ESE's scheduler two p; ~Ac1e8 were p~ammed to exchan~a
2 bytem~e 120000 times. Thil meanl that th~ schoouler wu executed 120000 times to
lwitch between the two processes. The test wu ~xecutedon a 50 MHz Intel 80486-bued PC.
Table 1 showl the results or this test. Note that the cont- xt switchins overhead is coutant
for a specific confisuration or channels. This pr~ctability is important in hud real-time
ayl'tems.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. TIlE ESE KERNEL
Real time
Common
release
time
... ~ -
-
-
-L __
r- - -
-
-
..
- - -,
-
_ __ .J
- - -,
-....,
Process 1
Procell 2
51
l- f- - .J
- -
,
-----
.....
-
ProceA 3
L _
clock tick Ie clock tick Ie + 1
_ .J
Figure 12: Sched.uling with inserted fine grain clock ticks
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
No of Channell (n) Total Time Tuk Switch (t) C =(t.28.4}/n
2 3.591 30ps O.Sps
3 3.61 3lps 0.8p1
4 3.811 32P1 O.8P1
5 3.861 33pa 0.8pa
10 4.3& 36pa 0.8pa
20 5.221 43pa 0.8pa
30 6.171 51ps 0.8pa
40 7.11s 59pa 0.8pt
50 8.4. 70pt 0.8p1
100 13.451 112Jl1 0.8pa
200 23.42. 195p1 0.81'1
Ta.ble 1: Task Switching Overhead
Task switch (pI)
200
52
180
160
140
120
100
80
60
20
20 40 60 80 100 120 140 160 180 200
No of channell (n)
Fipre 13: Tuk IWitclaiDI cw.t of channell
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 4. THE ESE KERNEL
I No of Timers ITotal Time ITuk Switch I
1 3.591 29.91"
10 3.591 29.9#1
100 3.591 29.91"
1000 3.64. 30.31'.
Table 2: Timer Processing Overhead
53
The cost of the ESE Icheduler consists of two components: a fixed setup component (X), and
a variable component (C) which is proportional to the number of confipred channels. The
cost of a task switch (t) is determined by the following formula:
t =K +n X C,
where n is the number of configured channels. For the hardware used for these teats, the fixed
component is approximately 28.4p8 for all channel configurations, and the variable component
0.8 pi per channel. In other words, for any given configuration of channels on this platform,
all task switches will take approximately
(28.4 + n x O.8)ps
to execute. Figure 13 shows a graphical representation of the context switching overhead
incurred for different numbers of channels.
Timeu are used extensively in typical reactive systems. To measure the overheat1 :ncurred by
timers, different numbers of timers were configured, and the context switching rate meuured.
Table 2 showl the results of this teat.
As can be IeeD. from tables 1 and 2, the number of configured timers has a nesli~ble effect
on the context switching overhead, while the number of channels created for timen has
.. sipificant effect (lee table 1). When .. large number of timen is required, the context
switching overhead incurred by creating .. channel for each timer can be considerable. In the
next chapter we shall examine .. llOlution to this problem.
Stellenbosch University http://scholar.sun.ac.za
Chapter 5
Developing Reactive SysteIns
5.1 Introduction
The ~oal of this chapter is to provide a. step by step description of the praceu of design,
analysis and implementa.tion when one uses Jeffay's RT/PC paradigm [28] and the ESE
kemel. A real example is used throupout to illustrate each step in the proceu. We shall
see that two extensions were required to the basic ESE kernel to support industrial reactive
systems: mailboxes and alarms. Having described the development process we shall diSCUBS
some oblervatiool derived from using RTfPC and ESE in practice. Finally we Ihalliummarile
the development process.
The main Iteps in the development proceu are: requirements definition, sy.tem desip,
RTfPC design and analysis, and implementation. At the start of each section which de-
scribes a step in the development process, we shall describe the purpoee and output of that
step.
5.2 X.25 case study - requirements deflnition
The purpoee of the requirements definition step in the development proceu i. to atate c:leuly
what the functional and performance requirements of the finished system are. The ouput of
this atep i. a specification document which delCribes the requirementl. We .hall discu.. the
functional and performance requirements of the X.25 implementation briefly, but since it is
not a part of Jeft'ay's method, we shall not develop a complete requirements specification here.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTNE SYSTEMS 55
The requirement. definition ii, however, an important atep in the development procell. Tlae
application of Jeffay'. RTfPC method requires accurate information about the rate at which
event. occur in the environment of the .y.tem, u well u the performance requirement. of
the .y.tem.
My cue study is an implementa.tion of CCITT's recommeada.tion X.25 protocol.tack, em-
bedded on an intelligent ISA bus expanlion card. The requirements of the embedded IOftware
are:
• an embedded implementation of both the link layer (LAPD) and packet level protocol.
of CCITT's 1988 recommendation X.25 [62];
• the packet level protocol must support up to 200 standard two w~,y logical channels;
• a user interface to tne X.25 packet level protocol, whic4 provides access to all X.25
facilities; and
/
• line speeds up to 64Kbps must be supported._
Fipre 14 shows a block diagram of the hardware platform on which the X.25 protocol.tack is
to be implemented. It is a PC/AT (IS!..) bus expansion card with the following components:
Intel 80188 pproc:euor""l'unning at 10 MHz, for protocol processing. The proceuor has
integrated interrupt and DMA controllers. This faeilitates full duplex DMA acceu to
and from the network interface controller.
25IJKbyte LoeaJ Memory. The protocol Btack must execute from local RAM, and ill X.25
buffers will be kept there.
Intel 82CSQ.I0 Serial Communications Controller (SeC) which support. full duplex
synchronous communication, and performs framing, bit stuffing/8trippin~ and eRe
computation.
PC Interface consi8tin~of32 KByte dual port RAM, an interrupt each for the card and the
PC, and an I/O port each for the card and the PC. Interface primitives are exchan!Cd
between the hOlt PC and the card through the dual port RAM window. The I/O port
is used by the PC to reset the card and to generate an interrupt to the card's on board
procesaor. The card uses the I/O port to genera.te an interrupt to the PC.
The stated system requirements make strenuous demands on the card's processor and available
BAM. Consider the following examplee:
Stellenbosch University http://scholar.sun.ac.za
CHAPTER. S. DEVELOPING REACTrVB SYETDMS
-
Local RAM
256 Kbyte
Network
..-- Interface
sec
pprocessor
I--Intel 80188
-
I -
I
Interrupt Dual PortI/O Port RAMIRQ2•.15 32 Kbyte l-
I n
Figure 14: Block diagram of iX.25 hardware
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 57
1. The buft'er space required to luppcrt 200 Itandard 100ica! channell can be calculated ..
foIIOWI:
Standard packet lize = 128 byte-
Standard packet level window aize = 2 packets
Each two way locical channel hu an incomins and outsoins window =.. packets
200 losical channels therefore require
200 X 4 X 128 = 102400bute&(lOOKB)
The link layer buffer space requirement is given by
2 x window "izex
(maz pGr.ket "ize +pGcket header +LAPB header +C RC)
H the packet size is negotiable up to the X.25 maximum of 4096 bytee, the LAPB
window size is 7, and sequence numbering of both LAPB and packet level is Itandard,
the link la.yer buffer space required is
2 X 7 X (4096 +3 +2 +2) = 57422b,lte,,(±56KB)
The total buffer apace requirement for the protocol stack is therefore ±l56KB. This
leaves plus minus 100 KB of the card's 256 KB for the code, atack and data lePlents
of the entire implementation.
2. LAPB can receive a burst of information frames up to its maximum window aize. The
smallest information frames which can occur in a burst, is a burst of packet level com-
mand frames: for instance, one RR packet for each of a Dumber of l~ca1 channell. At
64Kbpa, the transfer time for one byte is:
1
64000 x 8 = 125#8
Each. LAPB frame will consilt of an opening flag, an address byte, a command byte, 3
information bytes (the packet level RR), two eRe bytes and a. closinK Bag= 9 bytes.
The minimum transfer time for a frame is therefore
9 x 125,. = 1.125m&
Incomins frame eventl can therefore occur at rouPly 1.125m& intervala.
The throushput of the host/cud interface is rouPJ,y 2Mbps. Assume that the host may
lend a lUatained bW:1t of data reqUes~1 to X.25, each 130 bytes IonS (incluWn« data. and
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
control). The messages from the hOlt may therefore arrive at interval. of approximately
651".
Alil can be seen from the above, the rate at which event. can occur i. very hiSh. On the
target Intel 80188 processor ESE processes cannot be scheduled, or conlume eventl, at
these rates. The system can therefore not deal synchronously with each event.
5.3 System design
In this section we shall create a top level design for the X.25 implementation. The purpote
of this: section of the development process is to understand the functionality of the X.25
protocol stack, and to decompose it into manageable blocks. At this It.e we do not yet
concern ourselves with Jeffay's method, but we translate the statement of requirements into
a. functional specification/design. We shall not develop a detailed specification here, as it is
not a part of Jeffay's method.
5.3.1 Block design of X.25 system
The requirements stated in section 5.2 suggest a. design conli,tinr; of three module.: a uler
interface, the X.25 packet level protocol, .and the LAPB protocol. A fourth module, the
interface to the network interface hardware, is also required. We .hall call theM modula
NL3IF, PLvl, LAPB and see Driver, respectively. Figure 15 show. the modules of our
deaip in relation to the OSI 7 layer stack and the X.25 .pecification.
The ISO's 7 layer model for open systems interconnection (OSI) [61] specifies 7 protocol
layers, as well as service interfaces between each pair of protocol layen. For instance, the
Transport layer (TL4) and the Network layer (NL3) share a service interface: the Network
layer Interface. In OSI this is referred to u the n·interface between the a-layer and n+l-layer
protocolJ. The X.25 specification [62] .pans the lower three la.yers of OSI: Physical, Link uad
Network, but it does not specify any service interfaces. Our ata.tement of requirements adds
to the X.25 specification a Network layer interface. In our case study the Physical layer i.
implemented in hardware. In our software design, the Phylicallayer i. repreaented by the
device driver which interfaces with the physical layer: the serial communications COD.troUer
(SeC) device driver.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
OSI
59
Application
layer (AL?)
I PL6 &ervice I
Preeentation
layer (PL6)
I 8L5 service I
Seuion
layer (SL5)
I TL4 aervice I
Tranlport
layer (TL4)
I NL3 Service I
Network
layer (NL3)
I LL2 lervice ,.
Link
layer (LL2)
I PLI service t
Phyaical
layer (PLl)
Embedded
Implementation
X.25 NL3IF
I Packet I PLvllevel
[ LAPB I I LAPS
X.21/ I secX.21 (bis) driver
Fipre 15: OSI/X.25/implementation correspondence
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
State
Machine
Input ---t Driver ProcessEv~rlt8 j--- Output
60
Figure 16: Protocol machine implementations
5.3.2 Proceu decomposition
A process is a useful abatraction for an autonomous component of a system. If processes
communicate via message passing they do not need to share data structures, and concurrent
access problems are eliminated. A process is also a clean way of dealing with asynchronous
events in reactive systems. When an event occurs, a process is scheduled to process it.
We dlle the following criteria to decompose & system into proces&el. Reactive :.y,tems are
driven by events in their environment. These events enter the system in the form of interrupts.
An interrupt handler then signals the occurrence of the event to & process, which iascheduled
by the scheduler. AtJ.y component of a system which is decompoeed into an autonomous
module, and which allO processes eventi, is a candidate to be .. proceu.
Of the four modules already identified in our X.25 design, three wiD process events: NL3IF,
PLvl ud LAPB. The sec driver will consist of library routinel to initiate transmiuion and
reception, and interrupt handlers. When it is decomposed into the three processes above, our
design becomes a system of communicating reactive systems. Each procell receives events on
its input channels, and generates output in response to these eventl. When the output i. a
meaa«e to another process, this message constitutes an input event to the reactivo!! system
repteleDted by that procell.
Fipre 16 .howl the structure of each process in our desip. Since each process implementl
& protocol machine (a lervice protocol in the cue of NL3IF) each emulates & state machine.
Each protocol haa a unp! driver process which receives all events (sipala and meua«ea) for
that protocol layer. Thil procell activates a atate machine which processes the events, and
senerates output meMales to devices and other proceues (protocol layers).
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
5.4 Design and analysis of RTfPC systems
61
The purpote of this aec:tioD is to deacribe how Jeffay'. analy.i. techniques for RTfPC .y.tems
can be applied to a real Iy.tern. The loa! of Jeffay'. method i. to delip and implement a
syatem of communicatins proceaet in luch a. way that the implementation i. known to be
temporall, correct (Definition 5, section 3.6).
The methoo involves two steps: the first is to develop a reoliMJble design sraph (Definition 6),
the second to map the realisable design onto a. viable implementation of tasks! and channel•.
A realisable desip i. one that can be implemented. If the worst cue rate ofeach uyncbronou.
channel in an RTfPC sraph i. known, it i. theoretically poc.ible to achedule it. proceaea in
such a way that the .y.tem adheres to the RTfPC paradigm. A design sraph i. therefore
realisable jf its channel rate functions can be solved.
De8nition 14 An implementation 01 a set 01 t06b i& viable if every ezecution 01 every taM;
i6 parunteed to complete before it6 deadline.
Viability as a measure of the correctness of a system of tasks is relative to the implemen-
tation atrateo' employed for those tasks, and !8 dependent upon the processor used for the
implementation. In aection 5.4.5 we shall identify specific conditions under which a realisable
desip sraph has a viable implementation on the ESE kernel.
5.4.1 Realisability of a design graph
Jeffay determined conditions2 for the reali.ability of three dalles of design graphs: acyclic
desi~ ~hll, ~phs with disjoint cycles and graphs with BOIl-diajoint cycles.
1. An acyclic design gaph ill realisable if there exist. a path from an input device to each
proceu in the system.
2. The transmiuion rate functions of a cllcle, which is di8joint from all other cycles in
a desip gaph, can be solved iff at least one channel in the cycle has a non-identity
trannniuion rate function.
JWe .lIaJ1 ue tlte ten.. 'ul. wllea we refer to a proce.a ia u imple..eatatioa. ud prooeu wlto we refer
10 a prua:. ia '~delip~. la t~ ual,. tkat foIlowa. tm lIeJpI .. to diaUapilla betweea tH daip
&ad ita iMp&e.a&a&ioa.
2&diota 3.'COIIWu Jon.al 'f'enio..or tile aecaAr)" ud ••fIicie... coaditio.. for deap crapu witla cydel.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING UEACTIVE SYSTEMS 62
Figure 17: Nested cycles
3. The transmission rate functions of a pair of non~disjoint,simple cycles in a desip graph
can be solved iff:
• there is only one process which receives messages from a distinct proces. in each
cycle;
• each cycle has at least one channel with a non~identity transmission rate function;
• one of the cycles has a sequence of processes in which at least three messages are
required to be input to the first process in the sequence, before a message can be
emitted from the last message in the sequence.
Figure 17 shows two examples of non~disjoint cycles. The realisability conditioDs for
non-disjoint cycles are sufficient for the pair of cycles on the left, but not for those on
the right.
5.4.2 ReaJisability of the X.2S design
Figure 18 shows an RTfPC design graph of our X.25 system. It has a process for each of
the two protocol layers, LAPB and packet level; and one for the network layer interface. The
physical layer is implemented in hardware, and is represented in the graph by input devices.
The design contains two output devices (not shown in the design graph): the physical layer
(for frame transmission) and the h06t interface. Due to the flow control mechanism of the
X.25 protocolltack, the output devices cannot be flooded. Since they are not required in the
realiAbility analysis, the output devices are omitted from the graph. Should any reasonill~
about timing involving the output devices be required, they can be added without any impact
OR the realiaability analysis of the system. A.,nchronou.s channe& in the system are labeled
.
G~· "1.
The design graph contain. six input devices:
Stellenbosch University http://scholar.sun.ac.za
CHAP7'ER 5. DEVELOPING REACTIVE SYSTEMS
}(OIt
b c
e f
d PLv) timers
63
Figure 18: RT fPC design of X.25
1. hIMt - control and da.ta. messages sent to the embedded protocol stack by the hOlt PC.
2. PLvl timer. - The packet level protocol maintains several timers which signal cert:.1.in
events.
3. MdmC - An event indicating a change in the modem status to LAPB.
4. TzC- An event indica.ting the completion of a frame transmission to LAPB.
5. Rz - An event indicating that an incoming frame has been received.
6. Tl - LAPB maintains a. single timer which signals the occurrence of certain events.
Channel rate function.
The rate at which messages flow through the X.25 system is determined by the rate at
which the hOlt sends data, and the rate at which messages are received on the physical
layer interface. The 1IHW.t cau rate occurs when a sustained burst of messages is Rnt in
both directions between an X.25 DTE and DeE.3 H the DTE and DeE are correctly tuaed,
each received LAPB frame will contain both a packet level data packet and a LAPB frame
3T1te CCITI". recomJaUd-oo. X.2S ddae. 'lie protocol betwee. & DTE (Data Tenaintioa Eqlli.-.eal)
aad & DeE (Data eo.HelM. Eqmpmeat). TIae DTE repraeaaa tile X.25 uer'. eqaipmeat. lite DeE Ute
poiat WHre tile aft'. IQk couect. to tke X.25 packet .witdaed aelwork.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 64
acknow1edsement. In response to such a. (rame, LAPB will then lend two mes_ace. to PLvI:
a data and a control primitive. In this wont cue .cenario, each packet level data packet will
contain a data message for the host, as well as a packet level acknowledgement. In retponle
to each data packet, PLvl will therefore send two primitive. to the nser via. NL31F: a data ud
a control primitive. Based on the worst cue behaviour of the system, we can now determine
the following channel rate functions for the system:
• 6 = a - All primitives from the host are passed to PLvl by NL3IF.
• 1= 2j - Each received frame is an information frame which causes LAPB to send a
data primitive and a. control primitive to PLvl.
• c = 2 x t = f - Half of all primitives which PLvl receives from LAPB (t) are data
packets. Each packet contains data for the host as well as packet acknowledsement.
For each data packet received, one data indication primitive and one control primitive
is sent to the host via NL9IF.
• e = 2 X t =1- Each control message sent to PLvlon f causes it to send the next
queued information packet to LAPB (t). Each data primitive which PLvl receives on J
causes it to send a control primitive on e (t).
The behaviour above can be achieved only if the host interface is at least as fast as the frame
reception rate - a ~ j. If a > j the X.25 How control mechanism will ensure that hOlt data.
is transmitted only at the rate at which frames are acknowledged. H a < j the message flow
rate in the system will be lower, and the worst case behAviour described here will not occur.
The input devices, MdmC, TzC, Tl and PLvl Timer$ caule very limited message :ftow in
the system. In the worst case behaviour described here, only TzC and MdmC generate any
events. Neither of these events cause any message How out of LAPB, and therefore have
no impact on the realisability of the system. TJ and PLvl timers will only generate events
when communication timeouts occur - in other words, when the How of data. through the
system i. much lower than the worst case described above. We can therefore ignore these
input devices for the purpose of our realisability analysis, and use the reduced design graph
shown in fipre 19.
Fi!Ul'e 19 shows that even though the RTfPC design of X.25 contains non-disjoint cycles, the
channel rate functions are easily solved. This is because the channel rate functions depend
upon the interactions of the X.25 protocols, rather than cumulative input. The design graph
in fipre 19 U rm/iMJble 6ecau"e all the channel rate functions can be :wIved.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
H05t
65
b=a c=f
e=f f = 2j
Figure 19: Reduced, annotated RT fPC design for X.25
It is pouible to refine the design graph in figure 19 by refining the processes and channels
shown into sets of processes and channels. For example, the data and control flows can be
separated into separa.te channels and receiving and sending processes. In this wa.y cycles
in the design graph ~=m be removed. However, the added complexity will not simplify the
analysis. The structure of the system is such than the effective message Bow in the refined
graph is exactly the same as in the abstracted graph shown here.
ESE kernel extension - mailboxe. and alarms
Two practical issues, which arose in using RTfPC and the ESE kemel in practice, prompted
the addition of asynchronous channels, which can buffer multiple messages, to the basic ESE
kernel.
The fint situation occurs when one input message (event) can cause its receiver process to send
more than one output menage to the same destination. Consider the worst case behaviour
of the X.25 system, described above. Each LAPB frame received causes two message. to be
Jent to PLvl. H both meuagel were sent OB the same channel, the channel would ovedlow,
because ESE would not preempt LAPB so that PLvl could process the first messa«e. There
are a number of solutioDs to this problem:
Stellenbosch University http://scholar.sun.ac.za
CHAPTER S. DEVELOPING REACTIVE SYSTEMS
1. Both primitives could be packed into one mellage, and Hnt together. J[owever, tlU.
would violate the conventions of the 081 n·aervice interface, which requirel Hparate
control and d.ta primitives. It would allO require the receiver of each mCIUI~ to
parse it for the primitives it contains, and a separate thread to be executed for each
different message. But this approach does not suit the deair;n of a reactive .y.tem,
which processes events one at a time.
2. Separate channels can be created for different types of meuages exchanr;ed between two
processes. This is a viable solution, since the deadline schedulinr; policy can enlure that
messages are processed in the order they were sent. Care haa to be taken, however,
of the number of channels created. Section 4.11 shows that the number of channelt
in a system haa a significant impact on the fixed scheduling overhead. Thil becomes
especially significant when a less powerful embedded processor, such as an Intel 80188,
is used.
3. Messages can be buffered, and a signal used to activate a. receiver process once for every
buffered message. When the buffering and signaling functions are combined, the result
is equivalent to an asynchronous channel which can buffer multiple messages.
The 1CC0nd motivation for buffered asynchronoul channell involvel the Ule of timen. In lOme
systems provision has to be made for a large number of timers. The X.25 packet level, for
instance, requires a separate timer for each logical channel. In our implementation, which
supports up to 200 logical channels, this would imply 200 extra channell, and that would
have a significant impact on the COlt of scheduling. The anlwer to this problem il to have
a. second type of timer in ESE: one which signals expiry on a buffered uynchronoul channel
rather than the standard ESE asynchronous channel. Several of these timers can then Ihare
one buffered channel. For the reasons outlined above, Mail6oze. and Alamu were added to
the basic ESE kernel.
A mail60zis an asycbronou. channel which can buffer up to a predefined numberofmeuag,es.
Like an ESE input port, the receivins process of the mailbox will be scheduled once for each
buft'ered ~e. The semantics of mailboxes are exactly the aame as for input ports, and
the receivin! process of a mailbox will be scheduled at least at the rate correspondiD! to the
period of the mailbox. Since a mailbox can receive meaups from a Bumber of taab, it does
not identify its sender task. The buffer slots required by a mailbox are allocated when the
mailbox is created. This is done to fix the cost of lendins a messase to a. mailbox. If the
bu1Fer space {or a slot is allocated when the send occun, there ma.y be an unpredictable delay,
or in the worst case the system may be unable to allocate the required space.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVEL OPING REACTIVE SYSTEMS 67
When a meuqe ia put into a mailbox, it i. copied into the buffer .pace maintained by the
ESE kernel. If it i. the only meuase in the mailbox, a deadline i. calculated for the mailbox.
ESE'. scheduler and Receive command treat mailboxea u part of the seneric let of channell,
which conaiatl of asynchronous channels, input porta and mailboxea.
An alarm is a timer which signals its expiry on a mailbox rather than an uynchronoUi
channel. It is started and stopped in the same way as an ESE timer. Because alarm expiry
notifications are buffered in a mailbox, an alarm cannot be uled to provide an accurate time
tick to a process. When accurate timing is required, an ESE timer mUlt be uled. When a
timer is used only to indicate tha.t an event (timeout) had occurred, and thi. does not require
accurate timing, an alarm can be used. The overhead involved in sending to and receiving
from a mailbox is marginall)' Mgber than for an asynchronous channel. Since there i. no
semantic difference between f,imers and alarms, alarms should therefore only be used when
the number of timers ra\l'lj r'::d would add a significant number of channels to the system.
5.4.3 Implementing the design graph
An RTfPC design graph models a system in terms of graph vertices and edges. Edges
correepond to message passing channels (both synchronous and asynchronous); vertices to
proceuetl, in/output devices, data repositories, etc. To implement a design one mUlt map a
desip p-aph onto a set of ESE tasks and channels in such a way that the temporal correctneu
of the implementation can be determined.
In his thesis [28], Jeffay specifies necessary and sufficient conditions for the viability of a
set of sporadic tasks which communicate on asynchronous channels. The ESE kernel hu the
followin~features which determine how a design graph is mapped onto a set of sporadic tasks,
and the viability conditions that apply to such a mapping:
• Non.preemptive .cheduling ensures that mutual exclusion is always ensured for any
set of tasks that share data structures and resources. Because of the non-preemptive
scheduling policy no receiver will ever consume a messagE' immediately when it is lent
- the sending task must always complete its execution cycle before another process can
be Kheduled. Each ESE channel must therefore buffer one message until the receiver
of that channel is scheduled.
• No Jata repontoriu or other mutual ezcluion mechanum.are required in ESE, becaule
mutual exclusion is guaranteed by the non-preemtive scheduling policy.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER S. DEVELOPING REACTIVE SYSTEMS 68
• No locka6lc $/aared re~uree. are lupported by the ESE kernel. All ESE tub are
therefore lingle phue tub [28J and no ready prOCell can ever be blocked by a locked
resource.
• The E5 ':; kernel scheduler ,elec" the channel with the earlie,' deadline, and activatel
the receiving process of that channel. Because tub are ICheduled non-preemptively a
task's deadline is the same as that of the channel WhOAe message it consumes at any
point in time. Due to the non-preemptive scheduling policy a task with multiple input
channels will behave exactly like a set of tasks: one for each channel.
Mappins a deaisn sraph onto an ESE implementation
A design graph can be mapped to an ESE implementation as follows:
1. ESEta&b
Jeffay recommends an implementation strategy of creating a task for each asynchronous
channel. This is because a process with multiple input channels would have a period of
..1...,.. where rift is the sum of the rates of all input channels of the process. For tasks with
...
shared resources it is desirable to have the largest possible period, because the more
blockage a task can endure, the less it imposes on other tasks. H a task is created for
each channel, the period of each task will be longer than the J...,.. of the correapondins
...
multi-input process [28].
In ESE we can create a task for each process in the desisn graph without the problem
described above. This is due to the fact that ESE does not support lockable .hared
relOurces, and schedules tasks non-preemptively on the deadlines of ready channels.
BecaUIe ESE determines which message (from which channel) a scheduled Procell can
consume, and because tasks are single threaded, the effect is the same as creatins a tuk
for each asynchronous channel in the design graph.
2. ESE channell
ESE supports only asynchronous channels. Synchronous channels reduce to stalldard
procedure calls due to the non-preemptive scheduling policy of single phase ESE tasks.
An CIIJf1Chronou ESE channel is therefore created for each asynchronous channel in
the deaip gaph. The sender and receiver tasks of a channel are those created for the
correspondins lender and receiver proceuM in the desip !Iaph.
3. ESE Rgnal port.
A aisna! port il created for every event that ori~nates from an interrupt handler. This
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
enblea ESE to schedule a device driver talk which will procetl. the event.
69
4. ESE mailboze,
A mailbox can be created. instead of two or more channe". if it is delirable to reduce
the number of channels in a system. It can allO be cleated for a let of alarmli to lipal
their expiry on. A mailbox may allO be used to reduce the Bow rate of mea.._ OR a
certain path in a. system. The mailbox can be used to buffer and release meJAlet at
the desired rate. In tbis wayan otherwise non-viable .ystem may be made viable.
Rula for the ute of mailboxe.
1. The number of unprocessed me.aages to be buffered by a mailbox mUlt be bounded. If
the system does not impose some form of flow control over the processcs communicatinl
through the mailbox. the mailbox will overflow.
2. A mailbox II!ust be created with enough slots to buffer the largest possible number of
unprocessed messages which may be sent to it, otherwise it will overflow.
3. The period of the mailbox determines a lower bound on the rate at which the meu~es
in the mailbox will be consumed. Ifno other channels have earlier deadlines, the mailbox
receiver will be scheduled faster than the rate correspondins to it. period.
4. Becaule mailbox slots are allocated when the mailbox is created, each .lot must be
larse enough to hold the largest pouible meBI~e that can be sent to the mailbox. If a
mailbox is created to combine two channels which have a. large difference in maximum
meAa!e size, the mailbox must provide buffer space for the smaller m~es in slots
large enou~ to hold the largest message. This wastes spKe, and in such a cue it may
be more desirable to create two separate asychronoull channels. A mailbox should be
used to combine channels only if they have similar maximum message sizes.
Re8niDs deaisn .raph uynchronous channels
The purpoee of the desip yaph is twofold: to model a system as clearly and simply as
poaible; and to determine the realisa.bility of the desip. The first purpose requires the
abstraction of unnecessary detail; the aecond, sufficient detail to calculate the meuase low
fate. accurately.
In lOme desips it is possible to combine a number of asynchronous channels into one in
the dsi~ ~ '" "'h. In the implementation one may then create more than one channel fOf a
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 70
corretpolldin~ asynchronous channel in the de-ip Iraph. The refined deaisn would .till be
realisable, aiince the effective menage flow rate between the proceuel remained the tame.
Example In the X.25 design both the LAPB and packet level protocol. can sener&te botla
a data and a control message to i!uh other in one execution cycle. Beeaule or .0Il.
preemptive schedulins this will cause channel overflow if both menages are IeDt OD the
same channel. To solve this, we create separate control and data channell, and if the
original daign was realisable, the refined one will be u well. The channel overflow
problem is eliminated in the refined design, and the temporal orderins of meuases i.
preserved by the deadline scheduling of receiver procelJel.
In this example a mailbox could also have been used to solve the problem. Thi. would
have required buffer space to be allocated for the larsest meua«e which the mailbox
could receive. Since the largest control message i. aeveral times .maller than the larptt
data message, it is more memory efficient to create separate channel. in this cue. If
all messages ha.ve the same size, a. mailbox would be & better solution becaule it would
reduce the number of channels. In this way the scheduling overhead i. reduced.
5.4.4 Implementation mapping of the X.25 example
In section 5.4.2 we determined the realisability of a mQdel of an X.25 system (fisure 19).
That model was made deliberately abatract to illuminate the logical structure of the sy.tem,
and to avoid implementation detail. To reason about the viability of a system, we need a
model which represents the planned implementation in the exact detail of tasks, channels and
mailboxes. Figure 20 shows the refined model which represents our planned implementation.
Tub
The implementation model has an ESE ta$k for each process in the design gra.ph of the
previous8eCtion: NL3IF, PLvl and LAPB.
IDterrupt handlen and aisnal porta
The input devices of figure 19 have been refined to input devices which &enerate eventl to
inte,.",pt luuuller6. The interrupt handler signal. the occurrence of the event on an ESE~
port. The input device represents the physical device - it is not implemented in IOftware.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
HOlt
FromHOItE
N2P P2N
71
Packet Level ::::J
Timers
Tl 1----1
TxCE RxE
Network
Fipre 20: Refined model of X.25 for implementation
Stellenbosch University http://scholar.sun.ac.za
CIIAPTER 5. DEVELOPING REACTIVE SYSTEMS 72
Tb~ reuon (or this refinement is to model the COlt o( proce"in! an event hQm an input
device accurately. Interrupt hMldler. in fipre 20 are .hown u proceue•• Thi. i. becaUH an
interrupt handler is semantically equivalent to an ESE process. except ro~' the fact that it i.
not scheduled by ESE's scheduler.
Host
FromH06tE
Host Int Handler
FromH06tS
Network
TxCE
RxE
PLllnt Handler
TxCS
RxS
The host PC
The event which causes an interrupt to the X.25 system
The interrupt handler for host interrupts
A signal port on which Host Int Handler signals the arrival o( a hOlt
message to NL3IF
The physical layer hardware
The event wlJch causes a transmission completion interrupt to the
-;ystem
Tne event which causes a frame reception interrupt to the system
The interrupt handler for physical layer interrupts
A signal port on which PLI Int Handler signals an transmission com-
pletion interrupt to LAPB
A signal port on which PLI Jnt lIandler signals a frame reception to
LAPB
Asynchronous channels
The channels of the abstract design graph have been refined in figure 20 to accurately model
the message flow which will occur in the implementation, and the channels between PLvi and
LA.PB have been refined into pairs of dat~ and control channels.
N2P NL3IF to PLvl cha.-ln~h aU primitives
P2N PLvl to NL3IF channel: all primitives
P2L. PL\,l to JJAPB channel: dat2. primitives only
P2Lc PLvl to LAPB channel: control primitives only
L2PJ LAPB to PLv! channel: data primitives only
L2Pc LAPB to PLvl channel: control primitives only
Stellenbosch University http://scholar.sun.ac.za
CllAPTER 5. DEVELOPING REACTIVE SYSTEMS
Time,.. and mailboxea
73
Doth PLvl and LAPD require timcouts to signal certain event•. LAPD'. linsle timer, TI, i.
created u an ESE timer, and signals expiry on a channel. PLvl require. many timerl, and
since ESE's scheduling overhea.d increases with the number of channels in the .ystem, tbeae
timers are implemented as ESE alarms which signal expiry on a single mailbox.
Tl A timer, and a channel called Tl
Packet Level Timers Ai.l alarm for each PLvl timer, and a mailbox called Packet Level
Timers. The mailbox has one slot Cor each alarm which may expire.
5.4.5 Viability analysis
The first step towards implementation of the RTfPC design graph is a mapping of the design
onto a set of tasks and channels, supported by the ESE kernel. This was the subject of
sections 5.4.3 - 5.4.4. The purpose of the viability analysis is to determine whether the
implementation of that mapping will be temporally correct. Viability analysis takes into
account the implementation strategy, as well as the processor on which the system i. to be
implemented. A viable implementation of a design graph will always be temporally correct.
This means that all execution cycles of all tasks in the implementation are always guaranteed
to complete before their deadlines. We use an implementation stra.tegy of single phase, non-
preempti-..e, non-rt:~ource consuming sporadic tasJrq (for the purpose of analysis the CPU
is not a resource). ESE processes are 3ingle-ph~e because ESE does not support lockable
resources, and because they are not preempted.
Accordin,; to Jeffay the viability conditions for this implementa.tion strategy are:
Definition 15 A .paradie task T is a tuple (c,p) where:
c = computational C03t: the time to execute ta" T to completion on a dedicated uniproceuor,
and
p =period: the MortelJt pomble interval betUH!en 6ucceuive reqUf:3t3JDr execution of tuk T.
DefInition 18 A ~t of 6porodic tasks, T ={TttT2'.' .,Tn }, 30rted in non-decreasing order
" period, can 6e &eheduled non-preemptively without irurerted idle time Jor all pouible releae
tima iff:
(1)
Stellenbosch University http://scholar.sun.ac.za
CllAPTER 5. DEVELOPING REACTIVE SYSTEMS
and
The meaning of the two conditions are:
74
(2)
1. For any task, ; gives the rate of that task. The execution C06t multipJied by the rate
(c x ;) gives the fraction of the standard time unit that the task can consume in the
worst case. The sum for all tasks of ~ can therefore not exceed one standard time unit.
2. For any task, the remainder of its period less its execution C06t must be larse enough
to cover any delay the task may experience due to other ready tasks being scheduled
before it.
Note: When all tasks have the same period only condition 1 needs to be tested.
How do we apply these conditions to an ESE implementation? Since ESE tasks are sporadic,
and scheduled non~preemptively, we can treat each channel as if it has a dedicated process
which processes only messages from that channel. We therefore use the ~hannels of a de8i~n
as "tasks" in the viability analysis, with the C06t of processing a message on each channel as
the COlt of that "task".
For a feasible set of tasks, condition 1 is easily verified. Jeffay showed that determining
condition 2 has O(n2Pn) complexity, where n is the number of tasks, and Pn is the period of
the task with the lowest rate of execution requests. However, since the number of channels
("tasks") in a typical implementation of this kind will be reasonably low (typically 30 or less),
condition 2 is determined reasonably quickly (see section 5.5).
5.4.6 Viability of the X.25 example
In order to determine the viability of the X.25 example we need accurate values for two
parameters: the worst case (shortest) period of execution requests for each task, and the
worst case (highest) C06t ofexecuting each task. For each channel in the system we consider a
separate task - the period ofeach task is the same as the period of its corresponding channel,
and its COlt is equal to the cost of processing a message on its corresponding channel. Table 3
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 75
shoWI the cost (Ci =C(i» and the channel rate (ri == R(i» for each channel. The execution
COitl (ei) were meuured with an inwcircuit emulator.
Table 3 does not show any timer channels. This is because the timers will not expire duriQI
the wont case behaviour of X.25 analysed here. The channel rate functions in table 3 are
solved for the worst case rate of incoming 128 byte X.25 data packets. The totallenph of a
link layer frame containing such a packet is:
2 flag bllte~ +
2 FCS byte~ +
2 LAPB header byte~ +
3 packetlevelheaderbute& +
128 databyte~
137 bytes
This means that 137 bytes must be transmitted for each frame. At 64 Kbps we can therefore
transmit
64000bit~/& 1 58 4/ /
. x = . rame& $8bats/bUte 137b1lte~/ frame
For the sake of the initial viability analysis we round the number of frames per second up to
60. H we use the values of table 3 to calculate viability condition 1, we arrive at the following
result:
14 C.E -: =2.42> 1
i=l P.
The system is therefore not viable for the worst case behaviour of 128 byte data. packets
transmitted at 64Kbps, and we have to reduce the input rate to render the system viable.
Table 4 shows the system with the rate of incoming frames adjusted to 20. For this solution
of the chanDel rate functions
14E c~ = 0.97 ~ 1
i=1 P.
and viability condition 1 is satisfied.
The analysis above was done using a commercially available spreadsheet package. This is an
ideal way of solving the equations and determining viability condition 1, since it allows one
to interactively adjust the rates of input devices, and to see the resultant message flow in the
system.
Stellenbosch University http://scholar.sun.ac.za
Cll.4.PTER 5. DEVELOPING REACTIVE SYSTEMS 76
The analysis or viability condition 1 tells us that the hardware is not capable or handlins the
worat cue frame transmission rate at 64 Kbpl. Ilow does this influence our implementation?
At a line .peed of 19200 bps, 17.5 frames, each containing 137 bytel, can be tranlmitted per
second. This means that the system can be scheduled accordin,; to the EDF policy, and that
ul deadlines will be met, at line speeds up to 19200 bps. At higher line speed. the hilher
Z:l'~~age rate from input devices will cause channels to overflow. This situation i. remedied
by setting the period of the ESE signal port, which is used to signal frame arrival (RzS), to
the maximum tolerable rate of 20 frames per second. The result is that ESE will schedule
the receiving process of this signal no faster than 20 times per second when other processes
with earlier deadlines are ready. Frames which arrive at a rate faster than 20 per second must
be buffered or l06t. Since the X.25 link layer protocol (LAPB) uses a window flow control
mechanism, frames will not be l06t - frames can be buffered up to the maximum window size,
at which point the flow control mechanism wn1 prevent the remote X.25 stack from sending
any further frames. The net effect is a reduction of the rate of the input device, RzE, to
the viable rate (20). As soon as at least one of the buffered frames has been processed and
acknowledged, the remote X.25 stack can transmit again. The system can therefore operate
at line speeds higher than 19200 bps, and ESE will ensure that bursts of frames which arrive
too quickly to be scheduled will not overflow asynchrorous channels.
Via.bility condition 2 is determined by a special program. Figure 21 shows the input file to
this program for the X.25 case study. Each line in the input file contains the name, minimum
period and maximum execution COGt of a channel. Period and C06t are given in microseconds.
Figure 22 and figure 23 show the output file generated by the program in response to the input
file shown in figure 21. It first prints the channel information from the input file sorted by
non-de<.reasing period of th-: channels, and then checks viahility condition 2 for each channel.
If a channel satisfies viability condition 2, it is marked, OK. If a channel does not satisfy
viability condition 2, it is marked, FAILED.
As can be seen from the output file, our X.25 implementation model satisfies viability condi-
tion 2. The channd periods of the implementation on the ESE kernel can now be adjusted
to those used in the successful viability analysis. The ESE kernel is guaranteed to schedule
the viable implementation in such a way that all tasks always meet their deadlines - all
consumers are guaranteed to consume every message before another message is received on
the same channel.
The X.25 implementation model described here was implemented on the hardware platform
described in section 5.2. The measured performance (in terms of maximum throughput) of
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 77
Ti ='£
1 FromHo$tE 0.0005 2 x R(RzE) = 120
2 FromJlo$tS 0.001282 = 113
I'It I'"r.....H ...... +C(FromHo.'E)
3 ToHo$t 0.001933 I'It~JttJ+C(P2N) = 59
4 N2P 0.008562 I =99I'It I'"r.....Ho.IS +C(FromHo.'S)
5 P2N 0.001031 ~ 63
+C(L2P,,)
6 P2Ld 0.005431 = 34
Itl £2,...,) +C(L:ZPc )
7 P2Lc 0.001381 +C(L:ZP,,) = 31
IW s."r
8 L2Ptl 0.006696 I =40JrlIin+C(IV.tt)
9 L2Pc 0.004321 I =40~+C(&S)
10 Tz 0.000089
HI P2.. ~. +C(P2L,d =29
11 TzGS 0.001
Ifl • ;.1 +C(TzCE) =28
12 Rz8 0.00738 I =56
IW lb.] +C(&8)
13 TzGE 0.00053 R(Tz) =29
14 RzE 0.001161 K =60
o Channel
14E c~ =2.42
i=l p,
Table 3: Viability Condition 1 - Maximum Channel Rate
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS 78
- ri = f
1 FromHo~tE 0.0005 2)( R(RzE) = 40
2 FromHolJtS 0.001282 =39
If( nomno,IEl +C(FromHo.tE)
3 ToHost 0.001933 I = 301f(';1'1 +C(P2N)
4 N2P 0.008562
IfII'-romHo":.- +C(FromHo.'S) =37
5 P2N 0.001031 :;I = 31
+C(L2PII)
6 P2Ld 0.005431 I = 16
1ft L'lP.. ~ +C(L2Pc)
7 P2Lc 0.001381 I 15+0(L2PII )
8 L2Pd 0.006696 = 17~+C(&S)
9 L2Pc 0.004321 I = 17~+O(&S)
10 Tz 0.000089 = 15
III P'lLJ +0(1)2LII)
11 TzCS 0.001
ltITsCI;, +O(TzCE) = 15I
12 RxS 0.00738 =20Jrlim+C(&E)
13 TxCE 0.00053 R(Tx) = 15
14 RxE 0.001161 R(K) =20
DChannel
14L C~ =0.97
i=l P.
Table 4: Viability Condition 1 - Adjusted Channel Rate
Stellenbosch University http://scholar.sun.ac.za
CllAPTER 5. DEVELOPING REACTIVE SYSTEMS
• il.26 Viability Anal,lil
• Input file tor Viabl.2.ElE
• T.lt for Jeffay'l Second Viability Condition
.Chann.l.... Period COlt
., ".." .
79
FrOllHoitE
FrOllHoatS
ToHoat
.2P
P2.
P2LD
P2LC
L2PD
L2PC
Tx
TxCS
RxS
TxCE
axE
26000
25641
33333
27027
32268
62500
66667
58824
58824
66667
66667
50000
66667
50000
500 .
1282
1933
8562
1031
5431
1381
6696
4321
89
1000
7380
530
1161
Figure 21: Input File for Viability Condition 2 Checker
the implementation is within 4% of the throughput predicted in the viability analysis above.
5.5 RT fPC and ESE in practice - some observations
JeffaY'15 RT fPC paradigm. and the ESE kernel have been applied to a number of reactive sys-
tems: the embedded X.25 application described in this chapter; an embedded implementation
of the Frame Relay protocol; a MAC4layer bridge; and variou. DOS based user interface pro-
grams with a menu driven interface. It is currently being used in the implementation of
subsystems of a satellite. The following are some observations from two years of experience
with the paradigm in practice.
tn.e llediam Acce. eo.trol ••blayer for broadcut aetworb [57]. for example the IEEE 802 family of
speciic:atiou.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
Viability Analyaia: Condition 2
Output froa Viable2.EXE
Channela aorted by non deere.aing period
••••••••••••••••••••••••••••••••••••••••
80
FroaHoatE
FrOllHoatS
12P
P2Jr
ToHoat
RxS
axE
L2PD
L2PC
P2LD
P2LC
Tx
TxCS
TxCE
25000
25641
27027
32258
33333
5ססoo
5ססoo
58824
58824
62500
66667
66667
66567
66667
500
1282
8562
1031
1933
7380
1161
6696
4321
5431
1381
89
1000
530
Figure 22: Output File of Viability Condition 2 Checker
Delay check per channel
.,.."....",.,.,...,..
FroaHoatE p. 25000 au del.y • 15696 OK
Fra.HoatS p. 25641 au del.y • 16337 OX
12P P • 27027 au delay • 17723 OK
P2I P • 32258 au delay • 22074 OK
ToHoat p • 33333 au delay • 23149 OK
RxS P • SOOOO au delay • 39816 OK
axE P • SOOOO .ax delay • 39816 OK
L2PD P • 58824 .ax delay • 48640 OK
L2PC P • 58824 au: delay • 48640 OK
P2LD P • 62500 .ax delay • 50021 OK
P2LC P • 66667 .ax ~elay • 1000 OK
Tx P • 66667 au: delay • 1000 OK
TxCS P • 66667 au: delay • 530 OK
TxCE P • 66667 au delay • 0 OK
Figure 23: Output File of Viability Condition 2 Checker: Continued
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
5.1.1 The area of applicability of ESE
81
RT/PC and the ESE kernel can be used effectively in any reactive application where the
number of processes and channels remain constant. If processes and channels can ~ added
or removed dudnS the lifetime of the system, the channel rate functions will chanse, and
realisa.bility and viability analysis become impos.ible.
RT/PC and ESE are particularly useful in applications where accurate reasonins a.bout time
is required. Since deadlines can be suaranteed, hard real·time systems can be built this way,
provided the system is viable on the target processor.
ESE is &. suitable platform to develop embedded systems on. It is efficient in terms of procelsor
and RAM requirements, thus maximising the amount of resources (CPU and RAM) available
to the application. The RT fPC paradigm allows systems to be designed. with the minimum
of buffering. Mailboxes and signal ports provide mechanisms to control the ra4:e at which
events enter the system. This is important in systems in which a. burst of events may render
a system nonviable on a specific processor.
ESE can be used fruitfully in non real-time environments. If all channels are created with
the lame period, ESE effectively schedules ready tasks on a round robin basis. General
event driven systems, such as user interface programs are then easily implemented with the
minimum of analysis and tuning.
5.5.2 The effort of designing for RTfPC and ESE
Since I originally implemented ESE and the embedded X.25 application, five other developers
have used ESE as a platform to implement various embedded and DOS based application•.
All report that designins for ESE is at least as simple ~s designinS for any other multitaskins
kemel used by these programmers, and that the implemented systems were very effident. The
analysis that is possl!-Ie for RTfPC systems facilitates accurate performance and requirements
predictions.
5.5.3 ReaJisability and viability analysis
Determinins the realisability ofa design is simple ifone applies Jeffay's guidelines. An RTfPC
desip paph is realisable if its channel rate functions r.an be solved. It was found in practice
that the realisability of the system wc\s usually apparent upon inspection of the channel rate
Stellenbosch University http://scholar.sun.ac.za
CHAPTER S. DEVELOPING REACTIVE SYSTEMS 82
function., and tbat it wu unneceuary to retOrt to the c:atesoriea of realisable dailll gaplu
defined by Jeffay.
Viability condition 1 can be calculated witb any commercially available spreadsheet packap.
A special prosram determines viability condition 2 for any let of .poradic tub. For tile
X.25 example it computed viability condition 2 in lesa than 2 Sl,!cond.. Computation of the
viability conditions therefore presents no problem.
5.5.4 Performance of ESE implementation.
A Sood example of the performance attainable by systems implemented on ESE, i. an em-
bedded implementation of the Frame Relay protocol [2] on the same hardware platform u
the embedded X.25 implementation described in this chapter. The scheduling overhead in
this implementation constitutes only 6.2~ of the processing time for each message that flows
through the system.
5.6 Summary of method
The purpoee of this section is to ~ve a guide to development with Jeft'ay's RTfPC paradigm
and the ESE kernel. It also includes the steps of requirements definition and system desip
to complete the development procesa.
5.6.1 Requirements definition
This is a very important step in the development process. Since RTfPC involves a priori
analysis of real-time behaviour, a small change in the requirements can render the implemen-
tation non-viable. It is therefore importaz:.t to be clear about the requirements before the
design and analysis of the system is started.
5.6.2 System design
The purpoee of the system design phase is to develop a clear specification of the functionality
and performance of the modules that 1\P"m implement the system. The system is decompoeed
in terms of data flow and autonomous modules, and a process decomposition is identified.
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 5. DEVELOPING REACTIVE SYSTEMS
1.8.3 RT/PC deaiSD
83
Once ,be Iyltem i. decompoHd into a Iy.tem of communicatinl proceuel, aD itT/PC delip
sraph is developed which .hows the interconnection of the proceuea via .ynclal'OllCMll &ael
uynchronou. communication channel., and the input and output deyiCH wbich aft tlielOllrce
and .ync of events. Mutual exclu.ion resions are identified, and the Iraph i. annotated witla
channel rate functions.
5..8.-t Reali.ability analysis
An RT/PC desip is realisable, i.e. schedulable according to the RT/PC paradipl, if the
channel rate functions can be solved. The realisability of a deaign f~raph dependa OR tile
presence and nesting of cycles in the graph. A graph without cycles i. always reallaable
- liven a rut enough processor, the system can always be scheduled in such a way that
no proceu ever misses a deadline. Jeffay gives necessary and sufficient condition. {or the
reusability of graphs ""'ith disjunct and nested cycles.
5.6.5 Implementation mapping
An RT/PC desip !l'~ph is an abstract system represented by the RT/PC deaip iCODl. In
order to determine whether a. realisable design can in fact be supported by a liven barclware
platform, it has to be mapped to an implementa.tion strategy supported on the platform. For
the ESE kernel we map processes to taskl, asynchronous graph channels to aaynchrunou ESE
channels or mailboxes, synchronous channels to procedure calls and input devices to interrupt
handlers and signal ports.
5.6.6 Viability analysis
For any number ofchannel. iii an implementation we can &ccuratay determine the acheduliaS
overhead incuned by ESE, for a siven hardware platform. We alao meuure the c~t of
proceuinf;each type ofmessage that can flow in the system. Ulinr; this input we can determine
whether an implementation of an RT/PC desip i. viab:e - in other words, whether the
implementation as mapped from the RTfPC design can be scheduled on the siven laardware
platform in IUch a way that deadlines are paranteed.
Since the ESE kernel employs a non-preemptive earlieat deadline first schedulinr; policy, the
Stellenbosch University http://scholar.sun.ac.za
CHAPTER.~. DEVELOPING R.EACTIVE SYSTEMS
viability analyull i. done u If a separate tuk exiltl for each channel. Because ESE «toe. aot
.apport lockable retOurcea, the t.wo viability conditiona, 1 and 2, are lufftclent for YlabWty.
Coadition 1 is computed ulinl a spreadsheet, condition 2 by a special pufPC*! progam.
5.8.7 Implementation
If the viability analYlit was done correctly, we are UIUred that the coueapondins imp1emen-
tatioll i. p&ranteed to be temporalty correct. Exact reuonins about the real-time belaaviour
of the Iyltem il pouible as lonl as the implementation follow. the viable let of tub and
channell exactly.
Stellenbosch University http://scholar.sun.ac.za
Chapter 6
Conclusion
The purpose of this study was to determine a design and implementation methodology suitable
for small embedded reactive systems. "tVe therefore surveyed the current trends in real-time
systems development, and found a basic dichotomy: a time driven approach and an event
driven approach [3, 32J. The time driven approach is popular in hard real·time systems
which can be implemented as sets of periodic processes [651. Rate monotonic analysis and
achedulinS are widely used in periodic systems [6], and pre-run-time schedulir ;~ used to
suarantee deadlines [65]. The event driven approach is popular in systems have to
cope with unexpected events with hard deadlines. Such systems are typically implemented
&8 sets of asynchronous processes, and scheduled by & deadline driven aJgorithm [49J.
The trend in real-time operating systems is towards distributed, fault tolerant systems which
employ pre-ran-time schedulins, or run-time schedulability analysis to suarantee deadlines
[11, 17, 38]. Hybrid techniques combine priority bued 8Chedulin~ with deadline driven
achedulinS to handle overloa.d conditions, priodt) ~uve18ionland fault tolerance [9, 49, 50].
The syatems in which we are interested are event driven, and have real-time requirements and
strict resource constraints. We therefore require a design and implementation paradipn which
supports sporadic proceues and incurs the least possible overhead on the system. Jefl'ay's
aT/PC dMiSD method [28] provides a desip and analysis method which c&Il8Uarantee dead-
oes for reactive systems. The ESE kemel, which I implemented, supports implementations
ofBTfPC system., and !Uarantees their correct temporal behaviour.
Jeffay's B.TfPC paradip. has been found to be a practical deaj~ method for the .ystems
implemented on ESE. It is an intuitive model for reactive systems, and provides a formal
bali. for risorous analysis and reasonins about time. RT/PC Dot only allow. the dem~er
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 6. CONCLUMON 86
to suarantee deadlines in the design, but alao to make accurate prediction. about run·time
performance. The automated viability analysis procedure, which is bued on a formal model,
ensures the temporal correctness of embedded systems.
The ESE kernel proves that it is possible to support RTfPC efficiently at run·time. The
scheduling implementation of the ESE kernel is highly efficient, and the run·time overhead
incurred by using the ESE kernel is minimal. Since deadline driven schedulinS allow. a
theoretical processor utilisation factor of 100% [39], RTfPC systems implemented on the
ESE kernel can use the processor optimally.
RTfPC systems implemented on the ESE kernel are suitable for embedded reactive .y.tem..
Because the RAM a.nd processor overhead incurred by using ESE is minimal, it i. ideal for
systems with limited resources. The process abstraction provided by RT/PC can model the
concurrency inherent in systems which interact with devices, and hard deadlines of devices
can be suaranteed. Another significant advantage of using RT/PC is that the amount of
buft'ering required in a system can be minimised. An RTfPC system can be designed in luch
a way, that the consumer of messages on a channel will always consume them faster than they
are produced. This means that no buffering is required between the processes.
The ESE kemel ill implemented in Modula.2, and all hardware dependenciel are ilOlated in
one module. The size of the hardware dependent module i. 323 line. of source code for the
embedded Intel 80188 version, and 218 lines of source for DOS. ESE requil'e8 4737 byte. of
RAM for code on an Intel80x86 processor, and one hardware timer to operate. Provided a
Modula-2 compiler is available, porting ESE to a new hardware platform is a quick, limple
exercise.
ESE's non·preemptive sporadic processes make it suitable to embed in another opelatiD«
system. Since ESE will only execute processes when they have messages to process, an ESE
system embedded in another operating system will consume no procetllOr cycles until an event
caUIIeI it to schedule a process. Because ESE processes run to completion, there is a known
upper bound on the amount of time for which an ESE system will remain active before
returnin~ control to the host operating system. Provided that the host operatins system
can suarantee a bounded delay between an event arriving for ESE and ESE beiD~ activated,
hard deadlines can still be guaranteed. One example of using ESE embedded under another
operatin~ system ill a version of ESE which can be used for DOS terminate ht ,tG, ruUknt
propam•.
Jeffay [28] posed a number of questions which could only be answered after usin~ IlT/PC in
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 6. CONCLUMON
practice:
87
• Can Teal-time 'JI,tem, be naturally and elegantlJl de,igned with RTfPC' R:ffPC i. ide~
ally suited to modeling event driven systems. Sy.tem. with periodic tub can, however,
also be modeled by sending a periodic timer meslage to a lporadic procell.
• What i8 the benefit 0/ ",ing RT/PC over more traditional metIwt:U'! The firat benefit of
using RTfPC is that deadlines are guaranteed. Since an ESE deaip i. a c10Md Iyltern,
there will be no unexpected run~time overload conditions which can caule deadlinea to
be missed. The deadline driven scheduling algorithm a.voids priority inversions which
may also ca.use missed deadlines.
For small embedded systems a. ma.jor benefit is the fact that RTfPC allOWI the deliper
to minimise the amount of buffering that is required. When communicating proceues
are not guaranteed to adhere to RT/PC, some buffering mechanism is required, which
must provide for the worst case of unprocessed messages. This bter.procea buffering
is unnecessary for RTfPC processes.
Jeffay proves that the RTfPC discipline is deadlock (ree [28]. An RTfPC Iyltem il
driven by events, and a process is only scheduled when it has a message to CODlurne.
In ESE there are no lockable shared resources which may block a proceu, and linee all
inter-process communication is asynchronous, deadlocks cannot occur.
The small size ofthe ESE kemel means that it can be used in environment. where kemels
with more sophisticated features would be too expensive to support. This mean. that
a whole new class of embedded systems can benefit from process ~.~d dMip., and
paranteed deadlines.
• It mUlt 6e demomtrated that it i8 possible to implement the RTfPC parodigm. The ESE
kernel and the various implementations done on it demonstrate that the paradi~can
indeed be implemented.
• 1. tlae co,t o/8Chedu/ing and npporting RT/PC too great'! ESE demonstrate. that the
CO&t of schedulin~can be extremely low. When non-preemptive earliest deadline firat
schedulin~ is used, all processes can be executed on the same stack, and the Ie1ection
of the next process can be done in time linearly proportional to the number of channels
(O(n) for a. set of n channels). Section 4.11 pves measured performance figurel.
• Con tuk lieU in practice MdillJ the viability conditionl~ The class of applications, for
which the RTfPC method and the ESE kemel is bein~ used, is alway. a cloeed, reactive
Stellenbosch University http://scholar.sun.ac.za
CHAPTER 6. CONCLUSION 88
let of .poradic tuka. For thete .y.tem. the viabiUty condition. were Dot fouad to be
reltrictive.
RTfPC and the ESE kernel are currently in use by three commercial companiel and a releU'cla
institute for applications ranginr; from data communications to aateUite .ubly.temJ. Tile
delip method hu been found practical and of benefit in the development of .mall embedded
systems. The correctneaa of systems has been improved by eliminatiDl timinr; errou, aad the
reduction of butreriD'; has been an important benefit. The ableDCe of timiD'; erran, ud the
fact that process scheduler priorities and buffering do not have to be tuned durinr; .y.tem
testinr;, has been found to reduce the development time of embedded systems.
Stellenbosch University http://scholar.sun.ac.za
Appendix A
ESE interface types and cOInInands
The basic ESE kernel supports processes which communicate over asynchronous channell t
and input devices which signal device driver processes on input ports. It also provides timers
which signal expiry by sending a. message to a process over au asynchronous channel. The
following sections describe the parameters and semantics ofeach of the commands of the basic
ESE kernel.
A.l Types
The followiD~ types are used in the interface to ESE.
A.I.I Alarm
An opaque type in the interface which identifies an alarm record in the timer table.
• POlITER TO AlaraRecord ;
A.l.2 AsyncChannel
An opaque type in the interface which identifies an asynchronous channel record in the channel
table.
A.JDcChannel • POlITER TO A.yncChannelRecord ;
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
A.I.S InputPort
90
An opaque type in the interrace which identifiet an input port record in the chuael table.
InputPort
A.I.4 Mailbox
• POIIITIIL TO InputPortRecord ;
An opaque type in the interface which identifies a mailbox record in the channel table.
Mailbox
A.I.S Menage
• POlITER TO KailboxR.cord ;
A pointer to a buffer which conta.ins a. message sent on a. channel.
• POlITER TO ARRAY [1 ••MAX_MESS1GE_SIZE] OF Oct.t ;
A.I.6 Name
Variou. objects in ESE receive symbolic names to identify them for debugin« pUl'pOMl. A
name is an AScn string•
...
A.l.7 Octet
An Octet is an 8 bit type which can store numbers in the range [0,~ - 1].
A.I.8 Process
An opaque type in the interface which identifies a process record in the process tab~.
hoc••• • POlITER TO Proc•••Record ;
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
A.I.i Thread
The entry point of a procell. repreented by a procedure type with no parameteno
A.I.IO Time
91
A 64 bit type is used to store time values. Time is meuured in e1apled micrOleCOlldl, 10 &
time interval of 2" - 11'8 can be handled. This translates to 584942 year., which i••ufficient
to implement linear system time. A 32 bit time value repretentl an interval of ju.t over 1
hour, if time is measured in J&S. This would require the system time to wrap to 0 periodically,
introducin~ possibly inconsistent deadlines.
A.I.II Timer
An opaque type in the interface which identifies a timer record in the timer table.
Tiller • POlITER TO TiII.rRecord ;
A.I.12 U.erRef
A number, chOllen by the user, by which ESE will identify channels and timen to the URr in
the Re~iuecommand.
A.2 CreateProcess
CrmteProcu. is uled to create & sporadic process which will be scheduled if it receivea IlleS-
sap on its input channels. CreateAqncChannel, CreateMtJilboz and Createlnp"tPort ale11_ to create the input channels to a procell.
PIOCEDUIE
( n..
'thrHcl
YO proc•••
CreateProce••
.... ;
Thread ;
Proce••) ;
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
A.3 CreateAsyncChannel
92
Crea'eA,,ncChannel is used to create a unidirectional uynchronou. communicatiOll channel
between only two processes. CreateProceu is used to create the procellel.
PROCEDURE
( n...
ua.r_r.t
p.riod
.end.r
r.c.iy.r
• ax_••••ag._.iz.
VAR chann.l
A.4 CreateMailbox
Cr.at.'ayncChann.l
.... ;
U••rR.t ;
Tia. ;
Proc•••
Proc•••
CARDI.'L ;
'ayncChann.l)
CreateMail60z is used to create an asynchronous channel which can buffer one or more mea-
sages. A mailbox has one receiver and one or more senders. CreateProct!u is used to create
the proceuea.
PROCEDURE Creat.Mailbox
( n•• .... ;
u••r_r.t UserRef
rac.iy.r Proc•••
no_of_alota CARDll,AL
.lot_aiz. CARDII.L .t
p.riod TiJI. ;
VAR llailbox Mailbox)
A.5 CreateInputPort
CreaulnpvtPort is used to create an input port on which an interrupt handler can sip.a! to
& device driver process. CreateProceu is uJed to create the processes.
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
PROCIDUU CreateIuputPort
( D_ : I.. :
u.er_ret : U.erAet .
•
period : TiM ;
recei.er : Proce•• ;
YAIl port : InputPort)
A.6 StartSystem
StartSplem il called by the sYltem to start the ESE scheduler once the procell/channel
network hu been created. Once the StGrtS,.tem has been called ESE'lscheduler remain. in
control aud CQDtrol never returns to the thread from which it was called.
PIlOCEDUIE
0;
A.7 SendMessageOnAsyncChannel
SendMeNGgeOnAqncC1,annel is used. to send a message on an uynchronou channel.
PIOCIDUD
(chamae1
......
.iz.
A.8 PutIntoMallbox
SendM....eODbJDcChun.l
: ••JDcChunel
: JI..... ;
: CAJU)II1L) ;
PtdlntoJl.uNzilllled to put a JneUa«e into a mailbox. Mailboxe. differ from uynchronou
da.... i. t.at~ k does not :b.ave to be proc:eeaed beforem~ k + 1 i. RAt OIl
tlle aame cIlUHI. TIle mailbox buJrers meuapI, aud the ~ver proc:eu of the mailbox i.
Klted1lled at & mi.im-.m rate equal to the period of t:b.e mailbox.
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
PIOCIDUII
C..11boz
......
.iz.
A.9 SignalInputPort
PutIntollailboz
Mailbox:
M..... :
CAIDIIAL) ;
SignallnptdPort is used by an interrupt handler to lignal to a device driver procell. Port.
differ from asynchronous channels in that lignal Ie does not have to be proceued before ,ipal
k +1 i. eent on the same channel. The port buffers signals, and the receiver procell of the
port is scheduled at a minimum rate equal to the period of the port.
PILOCEDUR!
(port
A.tO Receive
SignallnputPort
: InputPort) ;
Receive i. c&1led by a scheduled procesl to retrieve the user reference of the channel for which
it wu scheduled, u well as the message sent on that channel. H the channel is an input port
only the channel user reference is returned.
PJUJCEDUI!
(YB chann.l
yn .....
yo. ab.
a.c.iy.
U••rR.f ;
M..... ;
CARDIllL) ;
The mes&a!e in the active channel is not copied out of the internal buffer by the Receive
commud. Since ESE employs non-preemptive schedulinS, the sender of the channel cannot
be Kllecbded durinS the execution of the receiver. The receiver is therefore SUU'aDteed that
tile me.ase will not be overwritten durinS ita execution. The only exception occun wen a
proce. RDda~ to itaelf' on .. channel. In this cue the process would have to copy the
me-ap to .. Ioca1 buffer before eendins &Dother.
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMAtANDS
A.II SetTimer
95
Se'Timer i. uted to .tart .. kemel timer which will expire after the apecifted period, aad Iftd
aD expiry meuap to the receiver procell of the .peclfied notiftcaUoa cbannel.
PROCIDURI
( uer'_ref
DOtification_channel
period
'lIt'tmer
A.12 SetAlarm
Se'tTmer
: U.erRef ;
1.pcChannel ;
TiM ;
Tiller) ;
SetAlcann i. used to start .. kemel timer which will expire after the specified period, aud Pllt
an expiry mesla,je into the specified notifica.tion mailbox.
PROCIDURI
( uU"_ref
Do'tifica'tioD_aailbox
period
yllt UU1I
A.13 StopTimer
S.'tllU1l
: U••rl.f ;
: Mailbox;
: Tia. ;
: llU1l) ;
Sto,Timer ia called to atop a timer which wu started earlier by a. SetTimer command, aad
whoee expiry meaap has not been received yet.
PIOCBOOIE
('tiller
uer'_ref
DOt1flC&'tioD_chazmel
S'topTiMr
: Tiller ;
: U.erRef
: 1.yncChazmel) ;
Stellenbosch University http://scholar.sun.ac.za
APPENDIX A. ESE INTERFACE TYPES AND COMMANDS
A.14 StopAlarm
96
SIopAl4nn il called to stop an alarm which was started earlier by a SetAltJrm command, and
whOle expiry message has not been received.
PROCEDURE
(&lUll
uaer_r.f
DotificatioD_aailbox
StopAlara
Alara :
U••rRe:r
Mailbox) j
It il pouible for a. timer or alarm to expire, and to be reused by another procen, before the
receiver process is notified of the first expiry. H the receiver process is scheduled in retponle
to another event, which causes it to stop the timer (alarm), it will still have a. valid timer
(alarm) reference, but possibly for .. timer (alarm) set by another proceu. Both the uler
reference and notification channel (mailbox) of the timer (alarm) are therefore compared to
the parametell of the SwpTimer (StopA14m3) call. H they do not match, the timer (alarm)
referred to in the rall had already expired.
H a proceu attempt. to atop an expired timer (alarm), ESE remove. the expiry meeu«e
from the notification channel (mailbox), after checking that the URr reference of the expiry
meua«e matche. the parameter of the StopTimer (StopAltJrm) call.
Stellenbosch University http://scholar.sun.ac.za
Bibliography
[1] iRMKTM Version 1.1 Real-Time Kernel, and iRMX™286 Releue 2.00 Operatin« Sy.-
tem. Intel Corporation, Santa Clara, CA, June 1987.
[2] Revilion 1.0 ANSI TISl. Frame Relay Specification with Extentionl. Technical report,
DEC, Northern Telecom, Inc., Stratcom, Inc., 1990.
[3J A. Benveniste and G. Berry. The Synchronous Approach to Reactive and Real-Time
Systems. IEEE Proceeding3, 79(9):16-21, September 1991.
[4] B.A. Blake and K. Schwan. Experimental Evaluation of a Real-Time Scheduler for
a Multiprocessor System. IEEE Tran&actioM on SojtUHJ1'e Engineering, 17(1):34-44,
January 1991.
[5] A. Burns. Schedulinr; hard real-time systems: & review. SojtUJG1'e Engineering JOKrntJI,
6(3):116-128, May 1991.
[6] L.R. Carter. An Introduction to Rate Monotonic Analysis. Note. of IFIP WGf•.1 African
A"ttlmn School, Univermty oj Pretoria, 29 March to 2 April 1993.
[7] DeR. Cheriton et aI. Thoth, a Portable Real-Time Operatin! System. Comm"nicatiom
oj the ACM, 22(2):105-115, February 1979.
[8] H. Chetto and M. Chetto. Some Results of the Earliest Deadline Schedulin~Al~thm.
IEEE 7hmaactimu on $oftV1Gre Engi~ering, 15(10):1261-1269, October 1989.
[9] H. Chetto and M. Chetto. An Adaptive Schedulint; Alt;orithm for Fault-Toleraat Real-
Tune Sy.tems. SoftV1Gre Engineering JOMrnal, 6(3):93-100, May 1991.
[10] E.M. Clarke et aI. Automatic Verification of Finite State Concurrent Systemt -,-J.inS
Temporal Lo!ic SpecificatiODI: A Practical Approach. Proc«Jinga 1(1" Annl&Cl1 ACM
S""JHMi_m on Principlu Programming LGngv.tJfJU, 1983.
Stellenbosch University http://scholar.sun.ac.za
BIBLIOGRAPHY 98
[llJ A. Damm et aI. The Real-Time OperatinK System of MARS. ACM Operating S"tcrru
Review., 23(3):141-157, July 1989.
[12} S. Davan and L. Sha. Source. of unbounded priority inver.ionl in real-time .y.tema aDd
& comparative study of possible solutions. AeM Operating SII.terru RetMID., 26(2):116-
120, April 1992.
[13] W-P. de Roever. Foundations of Computer Science: Leavinr; the Ivory Tower. EATACS
B.dletin, 44, June 1991.
[14] S.K. Dhall and C.L. Liu. On a Real-Time Scheduling Problem. Opemtionl Ruearch,
26(1):127-140, January-February 1978.
[15J A. Fugetta et aI. Some Consideration on Real-Time Behaviour of Concurrent Progamt.
IEEE TronsGctioM on SoftWGre Engineering, 15(3):356-359, March 1989.
[16] B. FurM et aI. Performance of REAL/IXTM - Fully Preemptive Real Time UNIX.
ACM Operating Sy&tem& Reviews, 23(4):45-52, October 1989.
[17] A. Geit.h and K. Schwan. CHAOSarc: Kernel Support for Multiweight Objects, Invoca-
tions, and Atomicity in Real-Time Multiprocessor Applications. ACM TrofUGCtiom 0/
Computer Sy3tem3, 11(1):33-72, February 1993.
[t8] V.H. Haaae. Real-Time Behaviour oC Programs. IEEE TronHCtioru on SofttDGre Engi-
neering, 12(9), September 1981.
[19] D. Baban and K.G. Shin. Application of Real-Time Monitorin& to Schedulinr; Tub with
Random Execution Times. IEEE Tramactiom on SoftlDGre Engineering, 16(12):1374-
1389, December 1990.
[20] D. Harel. Statecharts: A Visual Formalism for Complex Systems. Science 0/ CompilUr
Programming, 8:231-274, 1987.
[21] D. Harel et al. STATECHARTS: A Workin! Environment for the Development or Com-
plex Reactive Syltems. IEEE TronMICtioru on SoftlDGre Engineering, 16(4):403-414,
April 1990.
[22) W.S. Heath. Software Deei~ for Real-Time Multiprocessor VMEbus Syllema. IEEE
Micro, 7(6):71-80, December 1987.
[23] C.R. Hehner. Real-Time Programming. In/ormation Proceuing Letter., 30(1):51-57,
January 1989.
Stellenbosch University http://scholar.sun.ac.za
BIBLIOGRAPHY
[24] C.A.R. Hoare. Communicatinc Sequential ProceIRI. CommlmicGtionl 01 tIae ACAI,
21(8):666-677, AUlUlt 1978.
(25] C.A.R. Hove. Communicating Sequential ProcelU'. Prentice-Hall Internatioau SerieI
in Computer Science. Prentice-Hall International, 1986.
[26] M.E.C. Hull et al. Development Methods for Real-Time Sy.tem•• Compwu,. JotAmal,
34(2):164-172, 1991.
[27] F. Jahanian and A.K-L. Mole. A Graph-Theoretic Approach for Timinl Analy. in
Real-Time Losic. Proceeding. 01 ReId-Time Sll8tem. SJ/fnpo,ium (IEEE), New Orkanl,
LA, Pases 98-108, December 2-4, 1986.
[28] K. Jeffay. The Real~Time Produce,./Coruume,. Paradigm: TOIDGnU Verifiabk RetJl-Time
CompllwtioJ16. PhD thesis, Department of Computer Sdence and Engineering, Univenity
of Wuhinston, Seattle, 1989.
[29] M. JOieph and A. GOIwami. Formal description of realtime systems: a review. In!OrmG-
tion and IOfttDGJ'e technolDlII, 31(2):67-76, March 1989.
[30] K.B. Kenny and K-J. Lin. Measuring and Analyzing Real-Time Performance. IEEE
SoftVJ(J~, 8(5):41-49, September 1991.
[31] F. Kolnick. The QNX Operating S,.tem. Basis Computer Systems Inc, Ontario, Canada,
1989.
[32] H. Kopetz. Event-Triggered venul Time-Triggered Real-Time Syltems. In o"eraU",
Spte".. of the 90'. and Beyond, Lecture Note. in Compllu,. Science 568, Springer-
Verlag, July 1991.
[33] H. Kopetz et aI. Distributed fault-tolerant real-time system: The MARS approach. IEEE
Micro, 9(1), February 1989.
[34] H. Kopetz et aI. The Design of Ral-Time Systems: From Specification to Implementa-
tion and Verification. SoftV14re Engineering Journal, 6(3):72-82, May 1991.
[35] L Kurki-Suonio. Stepwise Desip ofReal-Time Systems. IEEE Tmn8ClCtionl on SofttIJtJJ'e
Engineering, 19(1), September 1993.
[36] J.P. Lehoczky and L. Sha.. Performance of Real-Time Bus Schedulin,; Algorithms. A CM
Perfonnance Evalvation Review, 14(1), May 1986.
Stellenbosch University http://scholar.sun.ac.za
BIBLIOGRAPHY 100
(37] S. Levi and A.K. A«rawala. Real Time SII,tem De,ign. Computer Science Ber_.
McGraw-HiU, 1990.
[38] S. Levi et aI. The MARUTI Hard Real-Time Operatin« Sy.tem. JaCM OperatingSpte".,
Review" 23(3):90-105, July 1989.
[39] C.L. Liu and J.W. Layland. Scheduling algorithms for mnltiprogr&lJlmins in .. hard
real-time environment. Joumol of the ACM, 20(1):46-61, January 1973.
[40] L.Y. Liu alld R.K. Shya.maaudar. Static analysis of real-time distributed .yatema. IEEE
TnJlU4ction.9 on Software Engineering, 16{4):373-388, April 1990.
[41] K. Marzullo and M. Wood. Making Real-Time Systems Reliable. ACM Operating SII.'e".,
Revie1D', 25(1):45-48, January 1991.
[42] F.W. Miller. The Performance of a. Mixed Priority Real-Time Scheduling Alr;orithm.
ACM Operating Sy,tefn8 Review" 24(4):52-63, October 1990.
[43J F.W. Miller. Predictive Dea.dline Multi-Processing. ACM Operating Sy,tem6 Review"
24(4):52-63, October 1990.
[44] J.S. Ostroff'. TemporallogicJor real time 'I/,tem,. Advanced software development .eriea.
Reeeuch Studies Press Ltd, 1989.
(45) A. Pnueli. Applicatiom 01 Temporal Logic to the Specijicotion and VerijictJtion of Reac-
tive Sptem6: A SurtJeJl oj Current Trernh - in Current Trend. in Concurrencr, volume
224 of Lecture Note, in Computer Science. Sprjnger-Verl~, Editor - De Bakker, JW
et al edition, 1986.
[46] J. Ready. VRTX: a real-time operating system for embedded microprocessor applications.
IEEE Micro, pages 8-17, August 1986.
[47] K. Schwan et al. Real-Time Threads. ACAf Operating Sy,tenu Review., 25(4):35-46,
October 1991.
[48) K. Schwan et aI. Multiprocessor Real-Time Threads. ACM Operating S,.tEfM Review.,
26(1):54-65, January 1992.
[49) K. Schwan and H. Zhou. Dynamic Scheduling of Hard Real-Time Tasks and R.eal-Time
Threads. IEEE TraRIGCtiom on SoftV1GJ'e Engine'!ring, 18(8):736-748, Auplt 1992.
[50] L. Sha and J.B. Goodenough. Real-Time Scheduling Theory and Ada. IEEE Computer,
23(4):53-62, April 1990.
Stellenbosch University http://scholar.sun.ac.za
BIBLIOGRAPHY 101
[51) A.C. Shaw. ReuoninS About Time in Hiper-Level Languase Software. IEEE TranMC-
lion. on SojtfANJrt! Engineering, 15(7):875-889, July 1989.
[52) A.C. Shaw. Communicatins Real-Time State Machinel. IEEE TranMJctio~on So/t_re
Engi~ering,18(9):805-816, September 1992.
[53] T. Shepard and J.A.M. Gagne. A Pre-Run-Time Scheduling Algorithm for Hard Real·
Time Systems. IEEE TranMJction6 on SoftWGre Engineering, 17(7):669-677, July 1991.
[54) K.G. Shin et aI. A Distributed Real-Time Operating System. IEEE SoftWGrt!, 9(5):58-68,
September 1992.
[55] J.A. Stankovic and K. Ramamritham. The Spring Kernel: A New Paradigm for Real-
Time Systems. IEEE SofttJXJf'e, pages 62-72, May 1991.
[56] A.D. Stoyenkoet aI. Analysing Hard-Real-Time Programs for Guaranteed Schedulabllity.
IEEE Tronraction.t on Software Engineering, 17(8):737-749, August 1991.
[57] A.S. Tanenbaum. Computer Networb. Prentice-Hall International, second edition, 1988.
[58] H. Tokuda and C.W. Mercer. ARTS: A Distributed Real-Time Kernel. ACM Operating
Sple".. Review., 23(3):29-53, July 1989.
[59] W.M. Turski. Time Considered Irrelevant for Real-Time Systems. BIT, 28(3):473-486,
1988.
[50] C. Warren. Rate Monotonic Scheduling. IEEE Micro, June 1991.
[61] Recommendation X.200. Reference model of open systema interconnection for ccitt ap-
plication•• Blue book, volume viii - fascicle viii.4, CCITT, 1988.
[62] Recommendation X.25. Interface between Data Terminal Equipment (DTE) and Data
Circuit-tenni·atiD~Equipment (DCE) for Terminals Operatins in the Packet Mode and
Connected to Public Data Networb by Dedica.ted Circuit. Blue book, volume viii -
fucicle viii.~,CCITT, 1988.
(63) J. Xu. MultiprOCellOr Scheduling ofProceues with Releue Timee, Deadlinee, Precedence
ud Exdulion Relations. IEEE Tran.tCJCtions on SoftVNJre Engineering, 19(2):139-154,
February 1993.
[64] J. Xu and Pam.. D.L. Scheduling Processes with Releue Timee, Deadlinee, Precedence
ud ExclulioD Relation•. IEEE Trun.tCJCtions on SoftVJGre Engineering, 16(3):360-369,
February 1990.
Stellenbosch University http://scholar.sun.ac.za
... , DoL. Oallth r:r c l.(:-.,••II. c
.....1\ .,....N •••··cJ••·"j.j.~:,'i':.,'T'<
Stellenbosch University http://scholar.sun.ac.za
