WCET free time analysis of hard real-time systems on multiprocessors: A regular language-based model  by Geniet, Dominique & Largeteau, Gaëlle
Theoretical Computer Science 388 (2007) 26–52
www.elsevier.com/locate/tcs
WCET free time analysis of hard real-time systems on
multiprocessors: A regular language-based model
Dominique Genieta,∗, Gae¨lle Largeteaub
a Laboratoire d’Informatique Scientifique et Industrielle, Universite´ de Poitiers, Te´le´port 2, Site du Futuroscope, F-86960 Futuroscope
Chasseneuil Cedex, France
b Signal, Image, Communication, Universite´ de Poitiers, Te´le´port 2, Site du Futuroscope, F-86960 Futuroscope Chasseneuil Cedex, France
Received 27 July 2005; received in revised form 13 March 2007; accepted 14 March 2007
Communicated by M. Mavronicolas
Abstract
This paper presents the initial step of an aid design method earmarked for operational validation of hard real-time systems.
We consider systems that are composed of sequential hard real-time tasks, which are embedded on centralized multiprocessor
architectures. We introduce a model based upon untimed finite automata and meant to collect the operational behaviors of the
system compatible with its time specifications, and we go on to provide a feasibility decision result for systems composed of tasks
presenting CPU loads which are exact values: execution times are not WCET values. This is why we call this approachWCET-free
analysis. The results we have achieved likewise involve hardware specifications such as multiprocessors and speeds of processors.
c© 2007 Elsevier B.V. All rights reserved.
Keywords: Finite automata; Real-time systems; Operational validation
1. Introduction
Real-Time scheduling has been implemented in real-time kernels by means of fixed priority policies (mainly RM
and DM). Dynamic priority policies (EDF, LLF) also exist [29], but they have not been implemented in operating
systems. The scheduling power of all these policies has been studied for uniprocessor and multiprocessor targets [30,
18]. Since they have not been designed to deal with precedence or synchronization constraints, additional specific
techniques have been designed [34,8].
Real-time validation has been studied: it consists in deciding whether specific software can be scheduled on a given
target (feasibility) or if a specific on-line policy can be used to schedule the software (validation). The knowledge of
all valid scheduling sequences concerning a task system designed to run on a specific hardware target is useful (in
particular) to choose the best scheduling technique which addresses the case study.
Actual system approaches are software-engineering oriented: for instance, [2] is designed to build specific policies
or controllers, others are based on a categorization and the analysis of system constraints (global vs local in [2]), [35]
integrates the real-time validation step into the software life cycle (see Fig. 1), [14] proposes ACSR algebra, whose
∗ Corresponding address: University of Poitiers, LISI/ENSMA, F-86960 Futuroscope Chasseneuil Cedex, France.
E-mail addresses: dominique.geniet@univ-poitiers.fr (D. Geniet), glargeteau@sic.univ-poitiers.fr (G. Largeteau).
0304-3975/$ - see front matter c© 2007 Elsevier B.V. All rights reserved.
doi:10.1016/j.tcs.2007.03.054
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 27
Fig. 1. The operational validation in the software life cycle.
purpose is to facilitate conception and analysis into the specification step of the life cycle, etc. A more controller-
oriented technique is proposed by the TIMES project [5]: producing a scheduler from the time specifications and
calculating the worst response times of software tasks.
The problem of feasibility for multiprocessor context has been studied by few authors: [9] deals with independent
task systems with fixed CPU loads, and studies multiprocessor scheduling analytic criteria; [11] also deals with fixed
CPU loads, and gives sufficient scheduling analytic conditions; in [10], the authors define the concept of sustainability,
which characterizes the persistence of the validity when relaxing time characteristics of tasks. All these works deal
with feasibility analysis and characterization, not with collecting scheduling sequences. As far as we know, this
problem of collecting all valid scheduling sequences has not been studied for multiprocessor targets. Solving this
problem will be useful to help the user to choose a good scheduling technique. It is the aim of this paper.
Previously existing feasibility studies (they address uniprocessor targets) stand on modeling scheduling sequences,
like timed automata [4,3], Petri nets [24], etc. [37,32]. Feasibility addresses the existence of a valid scheduling
sequence: in terms of languages, this problem corresponds to the emptiness of a language. [19] shows that solving
the emptiness problem for untimed automata is linear in the number of states, whereas [3] shows that this problem is
PSPACE complete for timed automata. This comparative analysis leads us to use untimed finite automata: this model
offers the highest level of decidability for the properties we deal with, and the computing complexities are compatible
with an effective computing (see [3] and [19] for a presentation of timed and untimed automata).
Each task of the system is translated into a finite automaton whose accepted words correspond to all possible
behaviors of the task. The automaton is computed on the basis of the time characteristics of the task, in order to accept
only the task behaviors compatible with its time constraints. Concurrency is modeled by products of automata, and
synchronization (processor and resource sharing, communication) thanks to the Arnold–Nivat model [6].
Since we address the problem of collecting all possible behaviors of the systems we study, we do not deal with
the WCET assumption [17], this is why we call our approach WCET-free analysis. In [26], Krcˇa´l and Yi show the
decidability of the scheduling problem for systems specified by the [Min,Max] CPU loads. Amnell et al. cite this
problem to be addressed [5]. In this paper, we are presenting a hopefully quite effective solution: we deal with systems
specified by all possible CPU loads for all tasks of the system, and we are proposing an algorithmic technique based
on untimed automata to reach this decision. Our technique revolves around solving the reachability problem, whose
complexity is known to be lower for untimed automata. All these factors have got to express our choice on untimed
finite automata (i.e. regular languages) to model real-time systems.
We have organised this paper as follows.
• Since scheduling decisions depend on both the analysed task system and the hardware and software context (see
[25] for a complete analysis which points this fact out), the first part of the paper (Section 2) addresses the task
systems we deal with and a taxonomy of possible contexts, in order to define a precise canvas for following studies.
• The second step consists in the technical aspects of the work: we present the basic elements of our language-based
technique: Section 3 deals with the language-based model and the validation process; Section 4 shows how to
extend this technique to address synchronization; Section 5 shows how the WCET assumption can be avoided.
• The final section (Section 7) deals with the internals of the computing techniques and the results of experimentation
to point out the improvement level brought by our optimization technique.
28 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
2. Validation of real-time systems
In this section, we describe both the structure of real-time systems and a model meant to represent execution
contexts.
2.1. Real-time systems
A real-time system is composed of a finite set (τi )i∈[1,n] of tasks. Each task τi is a sequence of tasks (or instances)
τi j ( j ∈ N). Each task τi j is activated by the occurrence of an incoming event. When the flow of incoming events
associated with τi is periodic (the time interval between two successive incoming events is a constant T ∈ N∗), τi is
called periodic, and T is one of its characteristics. If not, τi is called sporadic.
When all tasks of a real-time system are periodic, the system is likewise called periodic.
Each job τi which belongs to a real-time system is time-specified with 4 time characteristics (ri , Ti ,Ci , Di ). If τi
is periodic, the semantics of these characteristics are as follows:
Ti is the period of τi : it is the constant delay that separates the activation dates of two consecutive tasks τi j and τi j+1.
ri is the first activation date: it is the occurrence date for the first event of the flow associated with τi . The activation
date of a task τi j is ri + jTi .
Ci is the CPU load of tasks
(
τi j
)
j∈N: it is the CPU time that must be allocated to τi j to complete its execution. Here,
we consider the context of invariable CPU times for jobs: all tasks τi j share the same CPU load Ci . In Section 5,
we extend this model to address tasks whose successive instances do not share the same CPU load.
Di is the critical delay of τi : it determines the deadlines of all tasks
(
τi j
)
j∈N, that are the dates when τi j must be
completed. The deadline for task τi j is ri + jTi + Di . In this paper, we assume that Di ≤ Ti .
It is impossible to specify at what exact time the initial activation event of an alarm job will occur: if τi is sporadic, ri
may be undefined, and Ti indicates the minimum delay that separates two successive activations of τi .
2.2. Execution contexts
Scheduling a real-time system consists not only in attributing CPU allocation time to jobs, but also in doing so
according to the deadline constraints. The feasibility of scheduling a real-time system most notably depends on the
hardware framework (number of processors, distribution, etc.).
A scheduling context provides an accurate description of the hardware and software configuration the scheduling
algorithm is supposed to work with. A syntax meant to describe these contexts has been proposed in [22], and has
been extended in [12] and [23]. Here, we use a syntax adapted from that of [23].
An execution context is specified by a table
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
(n, p) Mode (Cpx, Snc) (Jb, St,Ld) Constraints Prmpt
that can be understood with the following semantics:
• Hardware specifications
. Architecture= (n, p) ∈ (N∗ ∪ {n})2
n specifies the number of nodes, and p the maximum number of processors on each one.
. Clock= Mode ∈ {common, harmonic, synch, independent}
specifies the time dynamics of the processors of each node. Its specification is based on unit (the common
duration of all atomic statements) and start (starting date of the processor driving clock). Using processors
(pi )i∈[1,p] on a node, the semantics to be associated with the possible choices are the following:
common all processors follow the same clock:
(i, j) ∈ [1, p]2 ⇒
{
speed (pi ) = speed
(
p j
)
start (pi ) = start
(
p j
)
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 29
harmonic speeds of processors follow the same clock, in a harmonic way:
(i, j) ∈ [1, p]2 ⇒
{
speed (pi ) ∈ speed
(
p j
)
N ∨ speed (p j ) ∈ speed (pi )N
start (pi ) = start
(
p j
)
synch all processors follow clocks which start simultaneously:
(i, j) ∈ [1, p]2 ⇒ start (pi ) = start
(
p j
)
independent processors follow different clocks, and then there is no relation between speeds and starts
. Communication= (Cpx, Snc) ∈ {H0, H−, H+}× {s, b, a}
Cpx specifies communication complexities: H0 for centralized (and then a null complexity), H+ for non-
null same complexity communications, H− for heterogeneous communication.
Snc specifies the synchronism level of communication channels. Channels between two tasks are
implemented on buffers of size k ∈ N¯, that are specified in the following way: s for synchronous (i.e.
k = 0), b for asynchronous with limited buffer (i.e. k ∈ N∗), a for asynchronous (k = +∞).
• Software specifications
. Structure= (Jb, St,Ld) ∈ {s, p, a} × {0, ri ,⊥} ×
{
C f ,Cv
}
with the following semantics:
s All tasks are sporadic
p All tasks are periodic
a There are periodic and sporadic tasks
0 The first instances of all tasks are activated synchronously at time 0
ri The first instances of all tasks are not activated synchronously at time 0
⊥ No specification is given on first activation dates
C f All instances of a job require the same CPU allocation time
Cv Two different instances of a same job may require different CPU allocation times
. Synchronization= Constraints ∈ P ({r, c, p, x})
with the following semantics:
r There is resource sharing between jobs
c There is communication between jobs
p There are precedence constraints between jobs
x There are exclusion constraints between jobs
. Preemption= Prmpt ∈ {notp, parp, totp}
with the following semantics:
notp Tasks cannot be preempted
parp Tasks can be preempted, excluding some specific contexts (e.g. critical sections)
totp Tasks can be preempted whatever the context
3. Time validation process for periodic systems
In this section, we consider the context
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri ,C f ) totp
This context is called ICCT (p) in the following (I for independent tasks, the first C for common clock, the second
C for centralized system, T for periodic real-time system and (p) for p processors). In the following, the task system
(τi )i∈[1,n] is noted Γ : n is the number of tasks.
3.1. Basic notions on languages
The reader is presumed to be familiar with the basic notions about words, languages and automata [19]. However,
we wish to recall two basic notions and some notations and results, of which we have made use in this paper.
In the following, Reg(Σ ) is the class of regular languages on the alphabet Σ .
30 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Definition 1. Let Σ1 and Σ2 be two alphabets. The Shuffle (W) is a binary operation on words or languages, defined
in the following way:
(1) ∀a ∈ Σ1 ∪ Σ2, aW = Wa = {a}
(2) ∀ (a, b, ω, ξ) ∈ Σ1 × Σ2 × Σ ∗1 × Σ ∗2 , aωWbξ = a (ωWbξ) ∪ b (aωWξ)
(3) ∀L1 ⊂ Σ ∗1 ,∀L2 ⊂ Σ ∗2 , L1WL2 = ∪
(α,β)∈L1×L2
(αWβ)
Proposition 1. Let Σ1 and Σ2 be two alphabets, and L1 ⊂ Σ ∗1 and L2 ⊂ Σ ∗2 . We get L1 ∈ Reg(Σ1) ∧ L2 ∈
Reg(Σ1)⇒ L1WL2 ∈ Reg(Σ1 ∪ Σ2).
Definition 2. Let L ⊂ Σ ∗, and let ω ∈ L . We call the prefix of ω every α ∈ Σ ∗ such that ∃β ∈ Σ ∗ such that ω = αβ.
The set of prefixes of a word ω is denoted Pref(ω). This definition is extended to languages by way of Pref(L) =
∪
α∈L
Pref(α).
Definition 3. Let L ⊂ Σ ∗, and ω ∈ L . We call infinitely extendable prefix of L every α ∈ Σ ∗ such that
∀n ∈ N, ∃β ∈ Σ ∗ such that |β| > n and αβ ∈ L . The set of infinitely extendable prefixes of L is called Center(L).
Proposition 2. We obtain
(1) Center(L) = L∗Pref(L)
(2) L ∈ Reg(Σ )⇒ Center(L) ∈ Reg(Σ ).
3.2. The language of job-valid behaviors
We define the notion of time unit in the following way: it is the execution time of an atomic statement (i.e. an
assembler statement) on the target machine. In this work, we consider this value to be shared by all atomic statements.
Let us consider the job τi , whose time parameters are ri ∈ N, Ci ∈ N∗, Di ∈ N ∩ [Ci ,+∞[ and Ti ∈
N ∩ [Di ,+∞[. From its activation date ri + k × Ti , the kth instance of τi must own a CPU resource for Ci
time units on the time interval [ri + k × Ti , ri + k × Ti + Di [. Let us note ai the state τi owns a CPU for one
time unit, and • the state τi does not own a CPU for one time unit. Every word of aCii W•Di−Ci corresponds,
on any time interval of the form [ri + k × Ti , ri + k × Ti + Di [, to a processor time allocation compatible with
the time constraints of τi . This set is regular. If the scheduling configuration is valid, τi is inactive on every time
interval of the form ]ri + k × Ti + Di , ri + (k + 1)× Ti [. This inactivity is modeled by the word •Ti−Di . Then,
every word of (aCii W•Di−Ci )•Ti−Di is a correct CPU time allocation for τi on any time interval of the form
[ri + k × Ti , ri + (k + 1)× Ti [.
The task τi is defined as the sequence (τi j ) j∈N of its instances. A processor allocation compatible with τi ’s
time constraints is a sequence of processor allocations compatible with τi ’s successive instance time constraints.
Let (ω j ) j∈N ∈ ((aCii W•Di−Ci )•Ti−Di )N. For each n ∈ N, the word ω0ω1 . . . ωn models a time valid
processor time allocation for any sequence of n + 1 successive instances of τi . In a general way, any word
ω of ((aCii W•Di−Ci )•Ti−Di )∗ models a valid processor time allocation for τi on any time interval of the form
[ri + k × Ti , ri + k × Ti + |ω|[, and then, in particular, on the time interval [ri , ri + |ω|[. Insofar as τi is inactive
on interval [0, ri [, word •riω models a valid processor allocation on the time interval [0, ri + |ω|[. ω can be as long
as we wish. Then, the language •ri ((aCii W•Di−Ci )•Ti−Di )
∗
collects all the valid processor allocation for τi .
The scheduling validation problem consists, at time t , in deciding on the evolution possibilities of τi in both
a given hardware and a given software context. Of course, the past of τi is known. Here, this past is the history
of τi ’s CPU allocations, that is to say a finite word ω of {ai , •}∗. During this past, some instances of τi were
completed, and the current instance is on (we can say so even at the outset). Then, by construction, ω is of the
form ω1.µ, where ω1 ∈ •ri ((aCii W•Di−Ci )•Ti−Di )
∗
(the completed past instances), and ∃ν ∈ {ai , •}∗ such that µν ∈
((aCii W•Di−Ci )•Ti−Di ) (the current instance can be completed according to the time constraints). So, ω is a prefix
of a word of •ri ((aCii W•Di−Ci )•Ti−Di )
∗
. Moreover, by construction as well, any instant f belonging to ]t,+∞[ (the
future), there exists η ∈ ((aCii W•Di−Ci )•Ti−Di )
∗
such that |ωνη| > f . Following which, at each time t , the past
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 31
ω of τi is a word of the center of •ri ((aCii W•Di−Ci )•Ti−Di )
∗
. Reciprocally, by definition, every word of this center
language is the past of a valid processor allocation configuration.
Definition 4. We call Time-Valid Behavior of τi every word of
Center
(
•ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗)
.
A time-valid behavior of τi models a processor time allocation (for τi ) such that we can guarantee that, in the
future, the past of τi can effectively be extended according to τi time constraints. In the following, we note L(τi ) in
this language.
Remark 1. By following a similar line of reasoning, we can show that the time-valid behaviors of a sporadic job τi ,
of time parameters1 Ci , Di and Ti belong to
Center
(
•∗
((
aCii W•Di−Ci
)
•Ti−Di •∗
)∗)
.
In the following, all the techniques we use and the properties we obtain arise from the property L(τi ) collects all
valid behaviors. Then, since this property also applies to sporadic tasks, all these techniques and properties may be
applied to periodic as well as sporadic jobs. For simplicity’s sake, in the following, we deal only with periodic jobs,
but all the obtained results are applicable for the general case.
3.3. Model for concurrency: The language of system-valid behaviors
In order to model concurrency, we use the homogeneous product of regular languages, which is defined as follows:
Definition 5. Let Σ1 and Σ2 be finite alphabets, and L1 ⊂ Σ ∗1 and L2 ⊂ Σ ∗2 .
• Let α = α1α2 . . . αn ∈ L1 and β = β1β2 . . . βn ∈ L2 two words of the same length n. The homogeneous product
of α and β is the word αΩβ = (α1
β1
)(
α2
β2
)
. . .
(α|α|
β|β|
) ∈ (Σ1 × Σ2)n .
• The homogeneous product of languages L1 and L2 is the language L1  L2 =
⋃
n∈N
 ⋃
α∈L1∩Σn1
β∈L2∩Σn2
{α β}

 is a binary operator. Then, the expression (a b)  c is equal to
((ab)
c
)
, and the expression a (b c) is equal
to
( a
(bc)
)
. In this case, the semantics associated with a vector is simultaneity. Then,
((ab)
c
)
and
( a
(bc)
)
share the same
semantics, which is simultaneous execution of a, b and c. Of course, such semantics can also be associated with the
vector
(a
b
c
)
. We consider that
((ab)
c
) ≡ ( a
(bc)
) ≡ (ab
c
)
. It follows that the operator  is associative, and can naturally
be generalized to n-uples of languages.
A behavior of Γ corresponds to a n-uple of behaviors of the τi ’s, the semantics associated with
(a
b
)
being
simultaneity of a and b. That is why the set of behaviors of Γ is i=ni=1 (L(τi )). The homogeneous product does
not reduce the set of behaviors for jobs. And since all L(τi )’s are centers of regular languages, i=ni=1 (L(τi )) is also a
center of language.
If there are fewer processors than jobs (a frequent case!), owning a processor is a resource-sharing problem. It
is integrated within the model thanks to Arnold–Nivat’s technique [6]: for a p processor architecture, we take into
account the language
Sp =
{
ω ∈
i=n∏
i=1
{•, ai } such that |ω|• ≥ n − p
}
1 Recall that for sporadic jobs, Ti specifies the minimum time interval between two successive instances of the alarm signal associated with τi .
32 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 2. Generic automata for periodic and sporadic tasks.
that collects the instantaneous configurations corresponding to valid executions on p processors. The language
i=ni=1 (L(τi )) ∩ S∗p collects all time behaviors that are compatible with both τi ’s time specifications and p-processor
hardware architectures.
The class of regular language centers is not closed by intersection. Here, this property means that processor-sharing
can lead a real-time job system to miss at least one of the imposed deadlines. Since we are interested in the set of
time-valid behaviors, we only consider the subset of i=ni=1 (L(τi )) ∩ S∗p that collects the time-valid behaviors (i.e.
the scheduling sequences that can be indefinitely extended according to the system time constraints) for the whole
real-time system.
The language i=ni=1 (L(τi )) ∩ S∗p is partitioned into two languages
L inf = Center
(
i=n

i=1
(L(τi )) ∩ S∗p
)
and
Lfin =
(
i=n

i=1
(L(τi )) ∩ S∗p
)
\ Center
(
i=n

i=1
(L(τi )) ∩ S∗p
)
.
L inf collects all behaviors compatible with the p-processor constraint, and which can be infinitely extended
according to τi ’s time specifications: they are valid behaviors. On the contrary, Lfin collects other behaviors: since
they do not belong to the center of the language, they model CPU allocation sequences ensuring that, in the future, at
least one of the τi ’s will miss its deadline. Then, L inf indicates the exact set of time-valid behaviors.
This is why we define the set of time-valid behaviors of a job system in the following way:
Definition 6. We call time-valid behavior for the system Γ within the context ICCT (p) every element of the
language
L
(
Γ
ICCT (p)
)
= Center
(
i=n

i=1
(L(τi )) ∩ S∗p
)
.
3.4. Feasibility decision
The language L(τi ) is implemented through its canonical associated finite automata A(τi ) (they follow generic
structures: see Fig. 2). Thus, the language L
(
Γ
ICCT (p)
)
is also implemented thanks to the computing of its associated
finite automaton A
(
Γ
ICCT (p)
)
, which is calculated from the A(τi )’s through algebraic operations on automata. The
decisions pertaining to these languages arise from the structural properties of the corresponding automata. Thus, the
existence of these automata is necessary to reach the decision. That is why, in the following, we always show that
synchronized products are regular.
The language L
(
Γ
ICCT (p)
)
is designed to contain all valid behaviors of the system Γ . Thus, deciding on the
feasibility of Γ under the context ICCT (p) comes about in an obvious way through the construction of this language:
Theorem 1. The system Γ is valid within the context ICCT (p) if and only if L
(
Γ
ICCT (p)
)
6= ∅.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 33
Fig. 3. Preliminary DARTS diagram for the UAV controller.
3.5. A case study: The AMADO project
From 2002 through July 2005, the French National Research Agency for Space and Aeronautics (ONERA)
organized an international competition for the design of miniature unmanned air vehicles (UAV): the AMADO2
project (see [1] for details). This competition was open to all universities and engineering schools in the world, and
was sponsored by the De´le´gation Ge´ne´rale de l’Armement (DGA), of the French Defense Ministry.
One goal of this competition was to demonstrate the technical feasibility of miniature UAV as an infantry aid. Even
though DGA is an organization devoted to weapon conception, UAVs were designed for the sake of observation, not
destruction; they may be viewed as flying binoculars.
Three Poitiers-based labs3 took part in this competition, and are designing a UAV prototype.
In this paper, we are only interested in controller program design, and more specifically in its autonomous running
mode. In this context, the embedded software must drive the UAV in autonomous mode. This part of the software is
composed of 7 periodic jobs with invariable CPU load. These jobs share 6 critical resources, which are not considered
in this section. Fig. 3 presents its DARTS preliminary diagram. Time specifications for the different jobs that compose
this controller are the following:
Job Role ri Di Ti Ci
τ1 Read Attitude 0 5 5 4
τ2 Read Flight Instruments 0 5 5 4
τ3 Read GPS 0 12 25 10
τ4 Transmit to servo-mechanism 0 6 10 2
τ5 Transmission 0 5 5 2
τ6 Navigation 0 15 25 10
τ7 Regulation 0 16 25 10
2 Automated Miniature Aircraft for Detection and Observation.
3 - LISI (Research Ministry Team (EA) nr 1232): Lab of Applied Computer Science
- SIC (CNRS Emerging Team (FRE) nr 2731): Signal, Image, Communication
- LEA (CNRS Research Unit (UMR) nr 6609): Lab of Aerodynamics.
34 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Computation of the validation automaton for this system is carried out following the sequence presented below,
which shows both the order of the computing and the sizes (edge counting) of homogeneous (Ω ) as well as
synchronized (Π ) product automata. Recall that homogeneous products model concurrency, and synchronized
products model processor sharing. The reader may note that in the following table, both |Ω | and |Π | share the same
values for subsystems limited to the first four jobs: since we have four processors at our disposal, there is no processor
sharing, so synchronized products are not computed. On the contrary, there is processor sharing as soon as the 5th job
is integrated in the product, and then there exist differences between |Ω | and |Π |.
job |Ai | |Ω ||Π | |Ω ||Π | |Ω ||Π | |Ω ||Π | |Ω ||Π | |Ω ||Π |
τ1 13 35
35 591
591 1513
1513 5552
5544 33 417
33 041 57 618
48 975
τ2 13
τ3 84
τ4 26
τ5 17
τ6 120
τ7 140
The final product is not empty: this system is feasible for a 4-processor target, without considering critical resource
sharing.
4. Integrating job constraints
In this section, we integrate job interdependence to the model, and we show that the validation results always
stand. The constraints we wish to consider are critical resource sharing and message-based communications. Thus,
we consider the context
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri ,C f ) rc totp
Let ∆ be the set of items (resources, messages, etc.) concerning the job system synchronization. The corresponding
context is called D (∆)CCT (p) (with D (∆) for dependent jobs under constraint set ∆) in the following.
4.1. Using Arnold–Nivat synchronized products
To integrate job interdependence (communication, resource sharing) between the τi ’s, we also use Arnold–Nivat’s
technique [6]: each resource R (shared resource or communication message) is modeled by a virtual job ξR , designed
to trace its states (busy/idle, for instance, for a shared resource using a basic protocol, but more highly elaborated
protocols can likewise be modeled [7]).
The principle of the Arnold/Nivat model is presented in Fig. 4:
• We consider a set of tasks sharing a critical resource: each task is modeled by a finite automaton. The first
step consists in building the product automaton, which models the concurrent system composed of all the
tasks.
• The protocol used to manage the constraint (shared resource or any other constraint) is a process: it is modeled by
the use of a specific automaton (see [7], for instance). In the case of Fig. 4, the constraint consists in executing b
before executing ψ (precedence constraint). Step 2 consists in producing the product automaton that models the
concurrent running of both the task system and the protocol. Step 3 consists in erasing all states (and corresponding
edges) of the automaton which correspond to a violation of the protocol.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 35
Fig. 4. Arnold–Nivat model for resource sharing.
• The product automaton is composed of the states which satisfy the constraint: the protocol component is now
useless (it is not part of the task system), it can be erased through use of a projection (step 4).
The general process can be viewed as follows.
(i=ni=1L(τi ))L (ξR) collects the behaviors of the system composed of both the τi ’s and the resource R. Let us
now consider the SR set of the instantaneous configurations compatible with the resource protocol management.
((i=ni=1L(τi ))L (ξR)) ∩ S∗R collects only the behaviors of Γ which are compatible with the resource protocol
management.
Now, we use the same property as for processor sharing (see Section 3.4): the class of regular language centers
is not closed by intersection. Here, this property means that sharing a critical resource can lead a real-time system
to miss at least one of the imposed deadlines. Since we are still interested in the set of time-valid behaviors, we
again consider the subset of ((i=ni=1L(τi ))L(ξR)) ∩ S∗R that collects the time-valid behaviors (i.e. the scheduling
sequences that can be indefinitely extended according to the system time constraints) for the whole system. Following
the same reasoning as for context ICCT (p), we collect all infinitely extendable behaviors of this set, i.e. we
consider
36 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
L
(
Γ
D (R)CCT (∞)
)
= Center
(((
i=n

i=1
L(τi )
)
L (ξR)
)
∩ S∗R
)
.
This language is associated with the context D (∆)CCT (∞), because it collects all time-valid behaviors according
to both time and resource protocol constraints, but without considering processor sharing constraints. These can be
integrated in the model through renewed use of Arnold–Nivat’s technique, in the same way as for ICCT (p) context,
i.e. computing L
(
Γ
D(R)CCT (p)
)
= Center
(
L
(
Γ
D(R)CCT (∞)
)
∩ S∗p
)
.
Remark 2. Let ρ j be the projection (xi )i∈[1,n]→ x j , and let us extend this notation to intervals, by defining ρ[a,b] as
the projection
(xi )i∈[1,n]→ (xi )i∈[Max(1,a),Min(b,n)]
In the language L
(
Γ
D(R)CCT (p)
)
, the components corresponding to virtual jobs modeling resources are now useless:
we erase them from the model by using ρ[1,n]. Thus, we finally consider the language ρ[1,n]
(
L
(
Γ
D(R)CCT (p)
))
. For
the sake of simplicity, we shall denote this language by L
(
Γ
D(R)CCT (p)
)
: then, in the following, we omit writing the
ρi ’s.
Since a synchronization model is based upon intersections of languages, we obtain
L
(
Γ
D ({R1, R2})CCT (p)
)
= Center
(
L
(
Γ
D (R1)CCT (p)
)
∩ S∗R2
)
.
Applying this property by induction, we obtain the following definition:
Definition 7. Let Γ be a real-time system and ∆ =(R j ) j∈[1,r ] be a set of synchronization constraints (resource or
messages). We call time-valid behavior of Γ under the context D (∆)CCT (p) every element of the language
L
(
Γ
D (∆)CCT (p)
)
= Center
(
L
(
Γ
ICCT (p)
)
∩
(
i=n⋂
i=1
(
S∗Ri
)))
where SRi is the set of valid instantaneous configurations, according to resource Ri management protocol.
In [6], the author shows how this technique can be used in order to model resource sharing, precedence and
communication by message.
4.2. Feasibility decision
Like L
(
Γ
ICCT (p)
)
, L
(
Γ
D(∆)CCT (p)
)
is a language that collects time-valid behaviors of the system. Then,
Theorem 1 remains valid. Thus, we obtain: Γ is valid under context D (∆)CCT (p)⇔ L
(
Γ
D(∆)CCT (p)
)
6= ∅.
4.3. The AMADO project: Feasibility with critical resources
Let us now complete the feasibility study we began in Section 3.5, by including critical resource sharing in the
synchronized product computing. First, we complete the table that presents time characteristics of jobs along with the
resources used (resources are identified as R1, R2, and so on):
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 37
Job Role ri Di Ti Ci Resources used
τ1 Read Attitude 0 5 5 4
Infos Flight (R1)
Precedence Regulation (R2)
τ2
Read Flight Instru-
ments
0 5 5 4 Flight plan (R3)Command (R4)
τ3 Read GPS 0 12 25 10
Infos Flight (R1)
Precedence Navigation (R5)
τ4
Transmit to servo-
mechanism
0 6 10 2 Command (R4)
τ5 Transmission 0 5 5 2 Infos Flight (R1)
τ6 Navigation 0 15 25 10
Precedence Navigation (R5)
Flight plan (R3)
Attitude Instructions (R6)
τ7 Regulation 0 16 25 10
Precedence Regulation (R2)
Command (R4)
Attitude Instructions (R6)
Computing the validation automaton for this system is carried out following the sequence presented in the table
drawn below, in the same way as for an independent job case: Ω and R j Π denote homogeneous and resource
R j synchronized product automata, and C denotes the center language automaton, which is computed after each
synchronized product. Each synchronization addresses both resource and processor sharing. The reader can note that
in the following computation, tasks are integrated within the product following a different order than in Section 3.5:
we begin by integrating the more constrained tasks, in order to limit product automata sizes as much as possible.
|Ai | |Ω |R j
(|Π |
|C |
)
τ7 140 1055
R6
(884
786
) 8233
R5
(8179
8179
) 20 868
R3
(18 429
17 358
)
R4
(14 083
10 210
) 23 098R2(17 71015 701)
R1
(11 506
9946
) 15 701
R1
(3939
0
) 0
R4
(0
0
)
τ6 120
τ3 84
τ2 13
τ1 13
τ5 17
τ4 26
The final product is empty: this system is not feasible for a 4-processor target, according to critical resource sharing.
Since this system is feasible without considering resource sharing (see Section 3.5), the resources are responsible for
infeasibility.
Let us now observe the synchronization constraint levels involved by each resource, for instance by evaluating
the ratios |C ||Π | . With this objective, for each resource Ri , we study the subsystem composed of all jobs that share Ri ,
without processor sharing (i.e. using as many processors as jobs). Resource R1 is the most constraining: it leads, for
a 3-job system, to a level of 94654 , that is to say about 16%. Overloading R1-sharing with processor sharing, this level
drops to 9% for a 2-processor target, and to 1% for a 1-processor. That is why the whole system is not feasible. The
feasibility system diagnosis advises the conceptor to observe R1 sharing to render the system feasible.
5. WCET free analysis
In general, real-time jobs execute programs whose CPU load is variable: they contain both if. . . then. . . else or
for. . . do statements. In this case, the CPU load of each instance of the job depends on the values of some of its
variables, i.e. its functional semantics. In previous sections, the task τi is associated with the time parameter Ci , which
specifies its CPU allocation time. This value must be viewed as the WCET: it is the minimal CPU allocation time
needed to schedule τi in the worst case (see Fig. 6).
38 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 5. From the program to the graph.
In this section, we are extending our model in order to analyse systems in accordance with the real values of Ci , as
opposed to WCET values. We have termed this manner of proceeding WCET-free analysis.
In this study, we consider programs composed of both atomic (:=), choices (if... statements) and static loop
statements (Ada like for...). We consider neither dynamic loops nor recursive subroutine calls: in the context of
hard real-time software, this restriction is realistic.
Thus, the context considered here is
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri ,Cv) rc totp
This context is called D (∆)CCVT (p) (with V for variable CPU load tasks) in the following.
5.1. The language of job-valid behaviors
To integrate these kinds of jobs, one must model many CPU loads for each τi . However, not all CPU loads are
allowed: the only ones allowed are those which effectively correspond to at least one of the functional behaviors of the
job. Let us consider, for instance, the program presented on Fig. 5. It is associated with its canonical finite automaton
representation by applying the morphism Statement → ai to all values that label edges (they are statements). Thus,
every path through this automaton is labeled with a word a ji , where j is a CPU allocation duration compatible with
at least one of the behaviors of τi . In this example, the set is a2
{
a2, a2
(
a2
{
a, a2
})}
, which can also be described
by
{
a4,
(
a28+i
)
i∈[1,8]
}
. We denote this set with Pτi . It is always finite, because there are no dynamic statements
in the program (no dynamic loops, no recursive subroutine calls). For ω ∈ Pτi , Center(•ri (
(
ωW•Di−|ω|) •Ti−Di )∗)
collects the set of time-valid behaviors of τi such that each instance of τi uses a CPU allocation of |ω| time units.
Now, let us call (ωk)k∈I the words that belong to Pτi . Since Pτi is finite, I is finite too. In general, time-valid
behaviors of successive instances of τi correspond to different ωk’s. Then, a time-valid behavior of τi belongs to
L(τi ) = Center(•ri ((⋃k∈I (ωkW•Di−|ωk |))•Ti−Di )∗). Since I is a finite set, this language remains regular.
The L(τi )’s being sets of τi ’s valid behaviors, computing the set of valid behaviors of the whole system Γ is based
upon both homogeneous products and Arnold–Nivat’s synchronization technique.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 39
Fig. 6. From the graph to the CPU load set.
5.2. Feasibility decision
The role of Arnold–Nivat’s synchronization technique is to forbid some behaviors of the τi ’s. Under the context
D (∆)CCT (p), forbidding a behavior corresponds to forbidding a specific CPU allocation sequence, but no
restrictions are imposed on specific functional behaviors of the job.
Under the context D (∆)CCVT (p), synchronizing may forbid τi from following some of its behaviors (the shorter
ones, for instance), and allow it to follow others (longer. . . ). Thus, the predicate L
(
Γ
D(∆)CCVT (p)
)
6= ∅ reaches the
property for each job, and there exists at least one valid path. We call this property weak feasibility:
Notation 1. Recall that we are noting ρi the projection of a vector V on its i th component. At this point, we are
introducing a new projection: pi .
Let A be an alphabet, and B ⊂ A. We note respectively piB and pi¬B the two morphisms
piB : A→ B,
{
x ∈ B → x
x ∈ A \ B →  and pi¬B : A→ B,
{
x ∈ B → 
x ∈ A \ B → x .
When A = {a}, we note pi{a} as well as pia .
Definition 8. A real-time system Γ = {(τi )i∈[1,n]} is weakly feasible under context C if ∀i ∈ [1, n], ∃ω ∈ Pτi such
that ∃α ∈ L
(
Γ
C
)
such that piai (ρi (α)) = ω.
Thus, Theorem 1 addresses weak feasibility.
When job CPU loads are invariable, weak feasibility and feasibility are equivalent, since the only two alternatives
are the existence and the non-existence of one occurrence of ω. That is why Theorem 1 is useful when addressing
feasibility in this context.
On the other hand, as soon as there exists one τi whose successive instances follow different CPU loads,
this theorem is useless, since weak feasibility and feasibility are no longer equivalent: for such systems, weak
feasibility means that there are compatible behaviors. Others can nevertheless be forbidden, because of functional
incompatibilities (resource sharing, for instance).
Let us consider, for instance, a job system (τi )i∈[1,2], where τ1 and τ2 share a critical resource. The body of τ1 is
presented in Fig. 7.a. The structures of their respective bodies are such that, when resource sharing is used, both of the
two jobs miss their deadlines. However, for each of these two jobs, there exists a possible behavior compatible with
its time constraints: for τ1, it is the set of behaviors which avoids resource sharing (see Fig. 7.b). Thus, the system is
40 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 7. Example of invalid configuration.
Fig. 8. Feasibility computation.
not feasible since some functional behaviors of jobs are excluded from systemic constraints, but it is weakly feasible:
it satisfies Theorem 1!
Thus, Theorem 1 does not stand within context D (∆)CCVT (p).
In a feasible system, every job may always be allowed to follow any of its (functional) behaviors according to both
resource sharing and time constraints. This property is stronger than weak feasibility. We call it strong feasibility:
Definition 9. A real-time system Γ = {(τi )i∈[1,n]} is strongly feasible under context C if and only if
∀ (ωi )i∈[1,n] ∈
i=n∏
i=1
Pτi , ∃α ∈ L
(
Γ
C
)
such that ∀i ∈ [1, n], piai (pii (α)) = ωi .
The feasibility of a system Γ is reached as soon as L
(
Γ
C
)
6= ∅ and Γ is strongly feasible.
Let us consider the following example. We consider a system of two tasks τ1 and τ2 whose time characteristics are
the following: r1 = r2 = 0, T = T1 = T2 = D1 = D2 = 2600 and Ci ’s depend on the number n ∈ [0, 255] of the
current instance of the task in the following way:C1 = 10n, n ≤ 10⇒ C2(n) = 100 and n > 10⇒ C2(n) = 255−n.
The WCET C1max = 2550 is reached for n = 255, and the WCET C2max = 244 for n = 11. For the context of this
example (synchronous independent tasks with implicit deadlines), the feasibility on p processors stands on the analytic
condition C1+C2T ≤ p. Using this criteria with a classical WCET approach for a uniprocessor feasibility decision, we
get C1max+C2maxT = 2550+2442600 = 27942600 > 1: the system is considered to be invalid. Using a WCET-free analysis consists
in computing the exact values C1(n) + C2(n) for all possible n. We can see that this value increases from 110 (for
n = 0) to 2550 (for n = 255). Then we get ∀n ∈ [0, 255] , C1(n)+C2(n)T < 1. The task system is valid. This example
shows that examples exist that are valid, but detected as invalid by using a classical WCET analysis.
These considerations lead us to generalize Theorem 1 in the following way (see Fig. 8).
Theorem 2. A system Γ = {(τi )}i∈[1,n] is feasible under context D (∆)CC VT (p) if and only if{
L
(
Γ
D(∆)CCVT (p)
)
6= ∅
Γ is strongly feasible.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 41
Note that for invariable CPU load, both weak and strong feasibility are equivalent, and that Theorems 1 and 2 address
the same property: feasibility.
If Γ satisfies Theorem 2, the set L
(
Γ
D(∆)CCVT (p)
)
of its time-valid behaviors is a regular language. For such
languages, the star lemma [19] shows that every sufficiently long word contains an iterated subword.
Thus, this lemma leads to the following property: if Γ is a set of interdependent tasks, to be scheduled under the
context D (∆)CCVT (p), the time-valid behaviors of Γ are cyclic.
This consequence shows that the cyclicity problem for multiprocessor contexts [15] can be solved, hence on-line
scheduling can be validated by simulation for multiprocessors.
5.3. The AMADO project: Considering variable CPU load jobs
In the UAV controller, Navigation is the most complex job, in terms of control statements. Its program contains
some if/then/else constructors, and calls for some elementary computing subroutines (3 or 4 atomic statements
for each one, without control statements). This program and its translation into an operational model are presented in
the table presented in Fig. 9.
Translated into a set of operational behaviors, the program presented in this figure leads to
a3P (R5) a13V (R5)
{
a, a2
}
P (R3) a12V (R3)
{
a, a2
}
P (R6) a8
{
a, a2
}6
V (R6) a.
Since
{
a, a2
}6 = {a6, a7, a8, a9, a10, a11, a12}, operational behaviors of this program correspond to 24 different
CPU loads, the least loaded being a 51-time-units behavior, and the most loaded a 59-time-units.
Computing of the synchronized product automaton associated with this variable CPU time real-time system follows
this sequence:
|Ai | |Ω |R j
(|Π |
|C |
)
τ7 140 2080
R6
(2074
2074
) 13 768
R5
(12 866
12 678
) 32 705
R3
(29 382
27 858
)
R4
(25 327
14 296
) 30 328R2(21 26918 770)
R1
(15 431
13 904
) 21 445
R1
(2160
1707
) 2302
R4
(1324
379
)
τ6 212
τ3 84
τ2 13
τ1 13
τ5 17
τ4 26
The final product is not empty: in accordance with critical resource sharing, the system is weakly feasible for a
4-processor target, but not strongly feasible: the one and only path accepted for scheduling purposes is the shortest
(51 time units).
6. Integrating hardware specifications
Let us now suppose that Γ is designed to run on a multiprocessor machine where some processors do not run at
the same speed. Moreover, we suppose that each τi is designed to run on a fixed processor (there is no task migration,
this hypothesis is realistic in the framework of real-time software). Let us consider the context
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common
starts
(
H0, s
)
(p, ri ,Cv) rc totp
This context is called D (∆) SCV T (p) (with S for Common starting clocks) in the following.
Let τ1 and τ2 be two tasks designed to run on processors p1 and p2, whose running speeds are different, i.e.
whose CPU time unit are different. We note by ui the execution time of any atomic statement on pi (for i ∈ {1, 2}).
Obviously, we suppose that u1 6= u2. Then, any symbol which appears in words of L(τ1) (resp. L(τ2)) is supposed to
42 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 9. Navigation job program vs operationals for one procedure of the AMADO project code.
be associated with the delay u1 (resp u2): the time semantics correspondingly associated with the language depends
on the target processor. We take this into account by indexing the language with this time unit: the language which
collects the behavior of τ1 when it is running on p1 is denoted Lu1(τ1).
In previous sections, all processors were running at the same speed u, this speed was omitted in the description of
the relevant languages, and the synchronized product was naturally associated with u. At present, however, we cannot
compute the synchronized product of Lu1(τ1) and Lu2(τ2); this is due to the fact that it is impossible to associate a
time unit with the edges of the product.
In order to avoid this problem, in this section we are proposing a technique allowing us to determine a unit u such
that
• Lu1(τ1) can be mapped into Lu(τ1),
• Lu2(τ2) can be mapped into Lu(τ2).
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 43
These two languages bring us back to the previous context: the technique presented earlier in this article can be used
to compute the synchronized product of Lu(τ1) and Lu(τ2), whose edges are naturally associated with the time u.
In Section 6.1, we show how u can be determined, and we give the mapping to compute Lu(τ1) from Lu1(τ1).
6.1. The language of job-valid behaviors
Lu1(τ1) is computed from the time characteristics of τ1. Some of these characteristics are time-absolute values
which do not depend on the characteristics of the target processor: Ti , Di and ri . On the other hand, the value Ci
depends on the speed of the processor: we get
Ci
CPU with a time unit u
=
Ci
k
CPU with a time unit uk
.
Computing Lu(τ1) from Lu1(τ1) presupposes our keeping the specified values of Ti , Di and ri , and likewise
presupposes our considering for Ci the value corresponding to the time unit u.
Example 1. Let τi be a job of characteristics ri = 3 ms, Di = 8 ms, Ti = 10 ms and Ci = 3ui . With ui = 1 ms, we
get
Lui (τi ) = Center
(
•3
((
a3W•5
)
•2
)∗)
.
With ui = 250 ns, we get the (different) language
Lui (τ ) = Center
(
•12
((
a3W•29
)
•8
)∗)
.
Observing Fig. 10, one may note that u1 and u2 must be multiples of u: the natural value for u is gcd(u1, u2),
which can always be computed as soon as u1 and u2 are integer values. This last property is yielded as soon as time
units are expressed in terms compatible with the characteristics of the processors put to work (µs, ns, ps, etc.)).
Words belonging to Lui (τi ) integrate parameters ri , Di and Ti by enumerating job inactivity in terms of time units.
A word which describes the behavior of a task on a time interval of duration t is composed of letters whose individual
time interval is of length ui , then t must be a multiple of ui :
t←−−−−−−−−−−−→
ui←→a
ui←→a . . .
ui←→a
. Computing the language
Lui (τi ) involves the translating of time values Ti , Di and ri into word lengths. For Ti , for instance, we get the figure
Ti←−−−−−−−−−−−→
ui←→x
ui←→x . . .
ui←→x
: the inactivity of a task for a time Ti would then be expressed by the word •
Ti
ui .
On the one hand ri , Di and Ti are usually greater than 20 ms; on the other hand ui is about some µs. Since
external time specifications for jobs can often be reviewed by constraining or relaxing them (these modifications must
be compatible with external specifications of the captors and activators), we suppose in the following that Tiui ∈ N,
Di
ui
∈ N and riui ∈ N.
The expression of Lui (τi ) comes from the translation into time units of the time specifications of the job (period,
deadline and first activation date). Then, for the job τi , whose behaviors of Pτi are the (ωk)k∈I (see Section 5.1), we
obtain
L(τi ) = Center
(
• rτui
((⋃
k∈I
(
ωkW•
Di−|ωk |
ui
))
•
Ti−Di
ui
)∗)
.
We call Validity class of τi the set
L©(τi ) =
{Lu(τi ),where u ∈ N∗, ri ∈ uN, Di ∈ uN and Ti ∈ uN} .
This set collects all languages that model operational behaviors of τi on all possible classes of targets, in terms of
CPU speed: note that the number of languages in this class depends on the unit u as it is expressed in (µs, ns, etc.),
the choice of unit being up to the user.
44 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 10. CPU time units and observation time units.
To map languages Lu1(τ1) and Lu2(τ2) on Lu(τ1) and Lu(τ2), we use the morphism φuui , which is defined in the
following way (see Fig. 10 for the use of this morphism):
Definition 10. Let u ∈ N∗, ui ∈ uN∗, Σ = {a, •} be the alphabet associated with a job, and Σ ′ = {P, V } be an
alphabet associated with a resource-like constraint. The morphism φuui is defined in the following way:
φuui : Σ ∪ Σ ′→
(
Σ ∪ Σ ′) uiu ,

• → • uiu
a→ a uiu
P → Pa
(
ui
u −1
)
V → a
(
ui
u −1
)
V .
Note that by induction, φuui not only addresses task behaviors involved by a single resource, but also those involved
by many resources.
We can now give the computing process for synchronized products:
(1) The input data are the system Γ (composed of the τi ’s), the execution context C , the Lui (τi )’s, and the ui ’s.
(2) We compute u = gcd i∈[1,n] (ui ).
(3) For each τi , we compute the language Lu(τi ), which is equivalent to the language Lui (τi ) in the sense that both
languages belong to L©(τi ). Note that by construction, Lu(τi ) is unique.
(4) We compute the synchronized product language Lu
(
Γ
C
)
, following the techniques presented in previous sections,
since all languages now share the same time unit.
6.2. Feasibility decision
This synchronized product language is associated with a unique time unit, and it is a regular language.
Consequently, Theorem 2 remains valid.
7. Computing techniques
The decision process is based upon both the computing of the center of the synchronized product and the evaluation
of the strong feasibility (Theorem 2).
Computing synchronized products is based upon classical filter techniques [13]: the synchronized product is a
subset of the homogeneous product: we construct it by starting from the initial state (it is unique), and by building
accessible states, i.e. states whose incoming edges are labeled with elements of the current synchronization set
(according to Arnold–Nivat’s technique). To limit the size of intermediate computing automata, we use the principle
the more resources the job uses, the earlier its integration in the synchronized product.
The center operation is likewise implemented through filtering techniques, which can be applied while building
the automaton: one must decide, for each edge to be built, if it leads to a valid or an invalid state.
The reader can observe the details of computing using these techniques in the synchronized product trace tables
for the AMADO project validation (see Sections 3.5, 4.3 and 5.3): the consequence of this technique is the size-
limitation of temporary automata. Here, we are trying to lessen this limitation by avoiding the construction of useless
components belonging to the product automaton.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 45
Fig. 11. Dynamic time parameters of tasks.
7.1. Improvement criterion
By studying the dynamic load of the system when in state s of the automaton, one can detect edges outgoing from
s and approaching invalid components of the automaton. The goal of this section is to point out an analytic criterion
to detect such edges as frequently as possible, in order to omit them in the construction of the automaton.
We deal with context D (∆)CCVT (p). All reasonings involve the synchronized product automaton, not automata
associated with individual jobs. Thus, they also stand for context D (∆) SCV T (p), since a unique time unit is
associated with the synchronized product in both frameworks.
Let us have a state s of Au
(
Γ
D(∆)CCVT (p)
)
. We consider an edge e, labeled with x , outgoing from s. This edge
is useless if for every word α which labels a path from the initial state to s, there does not exist a word β such that
αxβ ∈ Lu
(
Γ
D(∆)CCVT (p)
)
. Deciding this from minimal information is possible. Since generic automata associated
with jobs only accept time-valid behaviors, time constraints need not be controlled when computing the synchronized
product: the only constraints requiring consideration are resource synchronization (resp. message transmission). Then,
we must define an analytical criterion, addressed when synchronizing with a resource, in order to compute the validity
of each edge to build. The aim of this part is to define the criterion.
Recall that for τi , Cτ is computed in terms of time units. To be compared with both the Di , Ti , and so on, it must
be expressed in absolute time, by using the formula Ciui .
We note by TΓ the value lcmi∈[1,n] (Ti ).
We call L i (t) the dynamic laxity of task τi at time t : it is the number of possible idle time units for τi before
its next deadline (see Fig. 11). The past of Γ is a behavior between times 0 and t : it is modeled by a word ω of
Lu
(
Γ
D(∆)CCVT (p)
)
of length t . Thus, the laxity L i (t) can always be computed from ω. That is why in the following,
we note L i (t) as well as Lτ (ω). The same notation is also used for the dynamic CPU load Ci (t) (remaining CPU load
for τi k to be completed, see Fig. 11).
Let τi k be the kth instance of τi , presumed to be on at time t . From ω, the dynamic laxity L i (t) of τi k can be
obtained in the following way. By construction, pii (ω) can be broken down into ωbaωpi1 . . . ωpik−1µ: ωba models the
inactivity of τi before its first activation, the ωpi j ’s its past completed instances, and µ the beginning of the ongoing
instance τi k . We consequently obtain ∀ j ∈ [1, k − 1] ,
∣∣ωpi j ∣∣ = Ti and |µ| ≤ Ti . There exists a set Λ of words such
that ν ∈ Λ⇒ |µν| = Ti ∧ pii (ω)ν ∈ Lu(τi ). L i (ω) is obtained as Minν∈Λ (|ν|•): it is the most constrained dynamic
laxity of τi k induced by the scheduling sequence ω.
We note by Σi the alphabet associated with Lu(τi ). A word β of
∏i=n+r
i=1 Σi is valid (and then must not be filtered
by the criterion) if ωβ ∈ Lu
(
Γ
D(∆)CCVT (p)
)
: if this property stands, the behavior ωβ leads Γ , at time t+|β|, to reach
the activation of the k + 1th instance of τi according to both time and resource constraints. If not, choosing e leads to
a time fault: e may be omitted in the construction of Au
(
Γ
D(∆)CCT (p)
)
.
[16] gives such a criterion for the context D (∆)CCT (1). It uses the order ≺ω on Γ , which is defined in the
following way: at time t (i.e. at the end of ω), τi ≺ω τ j ⇔ L i (ω) < L j (ω). The criterion is defined by:
ωβ ∈ Lu
(
Γ
D (∆)CCVT (1)
)
⇒ ∀τi ∈ Γ ,
∑
τ j∈Γ
τ jωτi
(
C j (ωβ)
) ≤ L i (ωβ)
u
.
46 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 12. Equivalent monoprocessor model.
At this point, we extend this criterion to the context D (∆)CCVT (p).
We obtain:
Theorem 3.
ωβ ∈ Lu
(
Γ
D (∆)CCVT (p)
)
⇒ ∀τi ∈ Γ ,
∑
τ j∈Γ
τ jωτi
C j (ωβ)
p
≤ L i (ωβ)
u
.
Proof. We enrich the notations we consider for context, by including time units in their descriptions: we note
D (∆)CCT (p [u]) to indicate the (common) time unit associated with the p processors of the target system.
Let C p be a D (∆)CCT (p [u]) configuration, ω ∈ Lu
(
Γ
D(∆)CCVT (p[u])
)
and β ∈ ∏i=ni=1 Σi , such that ωβ ∈
Lu
(
Γ
D(∆)CCVT (p[u])
)
.
We consider a configuration C1 following D (∆)CCT
(
1
[
u
p
])
: its processor is p times faster than the p
processors of C p. The load capacities of C1 and C p are identical. There exist ξ ∈ L up
(
Γ
D(∆)CCVT (1)
)
and
β ′ ∈∏i=ni=1 Σi such that (see Fig. 12)
|ξ | = p × |ω|
∀i ∈ [1, n], pi¬• (pii (ω)) = pi¬• (pii (ξ))∣∣β ′∣∣ = p
∀i ∈ [1, n], pi¬• (pii (β)) = pi¬•
(
pii (β
′)
)
∀k ∈ [1, |ω|]
∀i ∈ [1, n]
{
pii (ωk) 6= • ⇔ pii (ωk) = pii
(
pi¬•
(
ξ(k−1)×p+1 . . . ξk×p
))
pii (ωk) = • ⇔ pii
(
pi¬•
(
ξ(k−1)×p+1 . . . ξk×p
)) = .
The correlation between duration and length leads L i (ωβ) to be equal to L i (ξβ ′), for each τi ∈ Γ , and ω to be
equivalent to ξ . Then, since ∀τi ∈ Γ , uCi (ω) = p× upCi (ξ), we obtain
∑
τ j∈Γ
τ jξ τi
u
p
(
C j (ξβ ′)
) =∑ τ j∈Γ
τ jωτ
(
uCi (ωβ)
p
)
.
Since ωβ ∈ Lu
(
Γ
D(∆)CCVT (p[u])
)
, we have ∀x ∈ N, ∃α ∈ (∏i=ni=1 Σi )x (∏i=ni=1 Σi )∗ such that ωβα ∈
Lu
(
Γ
D(∆)CCVT (p[u])
)
. By a construction such as that of ξ and β ′, we can build a word α′ of length x such that
ξβ ′α′ ∈ L u
p
(
Γ
D(∆)CCT
(
1
[
u
p
])
)
. As a result, ξβ ′ belongs to the center of the monoprocessor language, and the
monoprocessor criterion stands. Then, we obtain
∀τi ∈ Γ ,
∑
τ j∈Γ
τ jξ τi
(
u
p
C j (ξβ ′)
)
≤ L i (ξβ ′)
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 47
Fig. 13. Criterion base.
Since
∑
τ j∈Γ
τ jξ τi
u
p
(
C j (ξβ ′)
) =∑ τ j∈Γ
τ jωτ
(
uC j (ωβ)
p
)
, we obtain
∀τi ∈ Γ ,
∑
τ j∈Γ
τ jωτi
(
u
C j (ωβ)
p
)
≤ L i (ωβ)
and then
∀τi ∈ Γ ,
∑
τ j∈Γ
τ jωτi
(
C j (ωβ)
p
)
≤ L i (ωβ)
u
. 
7.2. Experimental analysis
Let us now evaluate the improvement brought about by this multiprocessor branching-bound criterion. This
evaluation is performed by applying the operational validity decision process with and without the use of the criterion
on a random sample ξ generated thanks to a real-time configuration random generator, which is designed to produce
configurations to implement on multiprocessor targets. The generator we have used was proposed by Goossens and
Macq in [21]. Since operational validation is connected with CPU loads, this sample is analysed by CPU load sections.
For a real-time system Γ = (τi )i∈[1,n] designed to run under the context D (∆)CCT (p), the CPU load is
∑i=n
i=1
Ci
Ti
p .
For each CPU load λ ∈ [0, 1], we call ξλ the subset of ξ composed of configurations whose CPU load is λ. We note
ξ[λ1,λ2] the set ∪
λ∈[λ1,λ2]
ξλ. We do not deal with configurations with CPU loads of less than 0.3, because they are of
negligible significance in a real-time context.
The random sample ξ has been generated from a CPU load uniform random law on the interval
[
3
10 , 1
]
. Then, ξ
is partitioned in
{(
ξ[ i−1
10 ,
i
10
])
i∈[4,10]
}
, and each ξ[ i−1
10 ,
i
10
] contains around 200 configurations. On the bar graphs
presented in Figs. 13–15, each presented value corresponds to the average value for the corresponding sample{(
ξ[ i−1
10 ,
i
10
])
i∈[4,10]
}
.
We evaluate the criterion firstly on its base aspect (is it often useful?), and secondly on its improvement aspect
(does it bring about a real improvement, in both space and time complexity aspects?).
We get the following results:
• Firstly, we evaluate the criterion base (see Fig. 13): for each sample ζ of
{(
ξ[ i−1
10 ,
i
10
])
i∈[4,10]
}
, we compute the
operational validity decision for all configurations of ζ . While computing, we enumerate the p configurations
48 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
Fig. 14. Memory gain involved by the criterion.
Fig. 15. Time gain involved by the criterion.
whose operational validity decision computing is improved by the use of the criterion: the value x% presented on
the figure is p|ζ | .
Observing Fig. 13 shows that the criterion is nearly always useful for real-time addressed configurations (CPU
loads over 70%).
• Secondly, the main problem of model checking techniques in such studies is space explosion. Such criteria are
usually followed in order to improve both space and time complexities. In Fig. 14, we evaluate space gain.
This gain is computed from the space used by the operational validity decision algorithm: computing automata
for each job, making products and intersections, computing the center language accepting automaton, evaluating
the emptiness of this center language by analysing this automaton. For C ∈ ζ , let us call bspace(C) the space
complexity (i.e. the larger instantaneous amount of memory needed by the decisional algorithm) for obtaining the
validity decision following this technique. Now, let us call cspace(C) the space complexity of the algorithm when
it is upgraded with the criterion, and let us call ospace(C) the space complexity of a clairvoyant algorithm, which
built only the edges that remain in the final automaton.
In Fig. 14, we present the average values, for the ten samples ξ[ i−1
10 ,
i
10
] previously described, of both 1− cspace(C)space(C)
(they compose the bright histogram) and 1 − ospace(C)space(C) (they compose the dark histogram). These two histograms
provide a comparison between the criterion and the optimal possible performance.
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 49
We can see that the clairvoyant algorithm never deletes more than about 10% of built edges. In Section 3, we
have designed our model in order to collect only valid scheduling sequences. By only improving our basic space
complexity about 10% for the worst case section, and by about 5% on the others, the clairvoyant algorithm both
validates our approach and yields improvements that would otherwise be hard to obtain. However, we see in Fig. 14
that our criterion improves space complexity about 3% (for addressed configurations), that is to say about 50% of
the clairvoyant algorithm capacities (the optimum). However, for Section [80%, 90%], the criterion improves only
about 25% with regard to the optimum. This case can be explained in the following way: such configurations are
not loaded enough to often be invalid, but are loaded enough to lead to deadline missing generated by markedly
earlier scheduling decisions. Such time properties lead the center automaton computing to delete a great part of the
graph: this is precisely the scope of improvement of the criterion, so it is natural that having to process a larger part
of the graph than in other sections, it loses efficiency against the clairvoyant algorithm.
• Thirdly, evaluating the criterion uses processor time in addition to basic algorithm processor time. Here, we cannot
consider the clairvoyant algorithm as a reference, since such an algorithm does not exist (because of the complexity
class of the problem). That is why, on Fig. 15, we evaluate only the time gain involved by use of the algorithm: in
many cases, the additional CPU time involved by the criterion is made up for by the edge gain obtained: the only
section to be in deficit is [30%, 40%]. This deficit stands because, for such systems, the basic algorithm is very
efficient (see Fig. 14), and then the additional expense involved by computing the criterion for each edge is not
made up for by avoiding edges. For addressed sections, the time-gain is over 6%, and about 10% for the section
[80%, 90%]. Recall that space improvement of the criterion for this section is only about 2.5% (see Fig. 14), but
these 2.5% are connected with a time gain about 10%: the best of all sections.
So, these experimentations show that our model achieves its objectives, since it built only a few useless edges, and
that the criterion is definitely useful for configurations addressed in real-time conception processes.
8. Conclusion
In this paper, we have used algebraic compositions of regular languages to define a model to decide upon the
operational validity of periodic real-time systems. This model is valid for periodic real-time systems with offsets,
where jobs can communicate or share critical resources, and it takes hardware specifications into account (e.g.
processors of different speeds).
Experiments have shown that this model is quite efficient: the validity decision process built very few useless
edges, and the branching-bound criterion reduces decision execution times by 5%–10%. Moreover, the AMADO
project study shows that this approach is useful for Real-Time Conception Aid Design. The classes of properties that
can be evaluated are currently being studied.
This work yields many contributions pertaining to the real-time operational validation problem:
• Reducing job CPU loads to their worst case is known to lead to acceptance of invalid configurations. We have
provided a novel methodology which avoids worst case analysis in the operational validation process.
• This methodology applies to monoprocessor target architectures, but (and this is new) also to multiprocessors.
• Since we represent the set of valid sequences with regular languages, the cyclicity theorem [28,16] remains valid
for multiprocessor scheduling.
The second step of this research consists in defining and experimenting measure indicators useful in software quality
assessment. We are presently working in two directions:
• we are characterizing the classes of indicators we can compute on the basis of our model: from a technical point,
we are comparing the respective performances of enumeration-based indicators [36] and of probability-based
indicators [33,31] for their computing time as well as for their expressivity powers;
• we are characterizing, in the automaton, the paths corresponding to RM scheduling sequences (resp. DM, EDF,
LF): measure indicators will be useful in determining how a real-time system needs to be modified so as to be
rendered valid for a specific on-line policy.
Moreover, our results encourage us to further the approach we have studied to more general systems: we have extended
the scope of this methodology to real-time systems composed of both periodic and sporadic jobs [20]: a sporadic job
50 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
is associated with an alarm signal, which is obviously not periodic. At another location, observation of the geometric
properties of the automata’s graphs has prompted us to adopt a new approach toward validating real-time, and it
appears to be highly efficient [27]. At some future time, we are planning to apply these results so as to provide
assistance for real-time conceivers in the operational specification process.
Acknowledgements
The authors wish to thank the anonymous referees for the numerous improvements they have contributed to this
paper; and also Jeffrey Arsham, a professional English translator, for the stylistic improvements he has contributed to
this paper.
Appendix. Notations and definitions used in this paper
Mathematical notations∏
i∈I Ei Cartesian product of all sets Ei such that i ∈ I⋃
i∈I Ei Union of all sets Ei such that i ∈ I⋂
i∈I Ei Intersection of all sets Ei such that i ∈ I
A \ B {x ∈ A ∪ B such that x ∈ A ∧ x 6∈ B}
piB ∈ BA Function such that x ∈ B → piB (x) = x and x 6∈ B → piB (x) = 
pi¬B ∈ BA Function such that x ∈ B → pi¬B (x) =  and x 6∈ B → pi¬B (x) = x
Words and languages
|ω| Length (number of characters) of word ω
|ω|x Number of occurrences of pattern x in the word ω
Reg(Σ ) Set of regular languages on alphabet Σ
Pref(ω) Set of prefixes of ω (can be a word or a language)
Center(L) Center of the language L
ax The pattern a repeated x times
i∈I L i Homogeneous product of all languages L i such that i ∈ I
W Shuffle of languages
Real-time tasks
Γ the currently considered real-time system
τi The i th task of a real-time system
τi j The j th instance of task τi
ri First activation date of task τi
Di Critical delay of task τi
Ci CPU load of task τi
Ti Period of task τi
L i (t) Dynamic laxity of task τi
Ci (t) Dynamic CPU load of task τi
Scheduling contexts
ICCT (p) - Independent tasks - Periodic real-time system
- Common clock - p processors
- Centralized system
D (∆)CCT (p) - Dependent tasks with constraints∆ - p processors
- Common clock - Periodic real-time system
- Centralized system
EDF Earliest Deadline First scheduling policy
LL Least Laxity First scheduling policy
RM Rate Monotonic scheduling policy
DM Deadline Monotonic scheduling policy
Model
a The task is running for one observation time unit
• The task is suspended for one observation time unit
L
(
Γ
C
)
Model language for system Γ under context C
A
(
Γ
C
)
Acceptation finite automaton forL
(
Γ
C
)
Lu
(
Γ
C
)
Model language for system Γ under context C and observation time unit u
Au
(
Γ
C
)
Accept finite automaton forLu
(
Γ
C
)
SR Arnold–Nivat synchronization set for resource R management protocol
φ
p
n Transformation function which replaces a by a
n
p , P by Pa
(
n
p−1
)
and V by a
(
n
p−1
)
V . p must be element of nN
D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52 51
References
[1] DGA (French Arms Procurement Agency), ONERA (French aeronautics, and space research centre), International universities mini uav
competition. Closed in September, 2005. http://concours-drones.onera.fr/.
[2] K. Altisen, A. Clodic, F. Maraninchi, E. Rutten, Using controller-synthesis techniques to build property-enforcing layers, in: Proc. of 12th
European Symposium on Programming, in: Lecture Notes in Computer Science, vol. 2618, Springer Verlag, 2003, pp. 174–188.
[3] R. Alur, D. Dill, A theory of timed automata, Theoretical Computer Science 126 (1994) 183–235.
[4] R. Alur, D.L. Dill, Automata for modeling real-time systems, in: Proceedings of the 17th International Colloquium on Automata, Languages
and Programming, in: Lecture Notes in Computer Science, vol. 443, Springer-Verlag, London, UK, 1990, pp. 322–335.
[5] T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, W. Yi, Times: A tool for schedulability analysis and code generation of real-time systems,
in: Proc. of 1st International Workshop on Formal Modeling and Analysis of Timed Systems, in: Lecture Notes in Computer Science, vol.
2791, 2003, pp. 60–72.
[6] A. Arnold, Finite Transition Systems, Prentice-Hall, 1994.
[7] A. Arnold, A. Griffault, G. Point, A. Rauzy, The altarica formalism for describing concurrent systems, Fundamenta Informaticæ 40 (2000)
109–124.
[8] T.P. Baker, Stack-based scheduling of real-time processes, The Journal of Real-Time Systems 3 (1991) 67–99.
[9] S.K. Baruah, Scheduling periodic tasks on uniform multiprocessors, Information Processing Letters 80 (2) (2001) 97–104.
[10] S.K. Baruah, A. Burns, Sustainable scheduling analysis, in: Proc. of the 27th International Real-Time Systems Symposium, IEEE Computer
Society, Rio de Janeiro, Brazil, 2006, pp. 159–168.
[11] S.K. Baruah, N. Fisher, The feasibility analysis of multiprocessor real-time systems, in: Proc. of the 18th Euromicro Conference on Real-Time
Systems, IEEE Computer Society, Dresden, Germany, 2006, pp. 85–96.
[12] J.P. Beauvais, E´tude d’Algorithmes de Placement de Taˆches Temps Re´el Pe´riodiques Complexes dans un Syste`me Re´parti, Ph.D. Thesis,
E´cole Centrale de Nantes, France, 1996.
[13] P. Bozanis, N. Kitsios, C. Makris, A.K. Tsakalidis, New upper bounds for generalized intersection searching problems, in: Proc. of 22nd
International Colloquium on Automata, Languages and Programming, 1995, pp. 464–474.
[14] P. Bre´mond-Gre´goire, J. Choi, I. Lee, A complete axiomatization of finite-state acsr processes, Information and Computation 138 (2) (1997)
124–159.
[15] A. Choquet-Geniet, Un premier pas vers l’e´tude de la cyclicite´ en environnement multi-processeur, in: Proc. of Real-Time Systems 2005,
Teknea, 2005, pp. 289–302.
[16] A. Choquet-Geniet, E. Grolleau, Minimal schedulability interval for real-time systems of periodic tasks with offsets, Theoretical Computer
Science 310 (2004) 117–134.
[17] A. Colin, I. Puaut, Worst case execution time analysis for a processor with branch prediction (Worst-case execution time analysis), Real-Time
Systems 18 (2) (2000) 249–274 (special issue).
[18] M.L. Dertouzos, A.K. Mok, Multiprocessor on-line scheduling of hard-real-time tasks, IEEE Transactions on Software Engineering 15 (12)
(1989) 1497–1506.
[19] S. Eilenberg, Automata Languages and Machines, vol. A, Academic Press, 1976.
[20] D. Geniet, J.P. Dubernard, Scheduling hard sporadic tasks with regular languages and generating functions, Theoretical Computer Science
313 (2004) 119–132.
[21] J. Goossens, C. Macq, Limitation of the hyper-period in real-time periodic task set generation, in: Proc. of Real-Time Systems 2001, Teknea,
2001, pp. 133–148.
[22] R.L. Graham, E.W. Lawler, J.K. Lenstra, A.H.G. Rinnooy Kan, Optimization and approximation in deterministic sequencing and scheduling:
A survey, Annals of Discrete Mathematics 5 (1979) 287–326.
[23] E. Grolleau, Ordonnancement Temps-Re´el Hors-Ligne Optimal a` l’Aide de Re´seaux de Petri en Environnement Monoprocesseur et
Multiprocesseur, Ph.D. Thesis, Univ. Poitiers, 1999.
[24] E. Grolleau, A. Choquet-Geniet, Off-line computation of real-time schedules by means of petri nets, Journal of Discrete Event Dynamic
Systems 12 (2002) 311–333.
[25] J. Carpenter, S. Funk, P. Holman, A. Srinivasan, J. Anderson, S. Baruah, A Categorization of Real-Time Multiprocessor Scheduling Problems
and Algorithms, in: Handbook of Scheduling: Algorithms, Models, and Performance Analysis, Chapman and Hall/CRC, 2004, pp. 30-1–30-19
(Chapter).
[26] P. Krcˇa´l, W. Yi, Decidable and undecidable problems in schedulability analysis using timed automata, in: K. Jensen, A. Podelski (Eds.), Proc.
of the 10th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, in: Lecture Notes in Computer
Science, vol. 2988, Springer-Verlag, 2004, pp. 236–250.
[27] G. Largeteau, D. Geniet, E´. Andres, Discrete geometry applied in hard real-time systems validation, in: Proc. of 12th Discrete Geometry for
Computer Imagery, in: Lecture Notes in Computer Science, vol. 3429, Springer-Verlag, 2005, pp. 23–33.
[28] J.Y.T. Leung, M.L. Merill, A note on preemptive scheduling of periodic real-time tasks, Information Processing Letters 11 (3) (1980) 115–118.
[29] C.L. Liu, J.W. Layland, Scheduling algorithms for multiprogramming in a hard real-time environment, Journal of the ACM 20 (1) (1973)
46–61.
[30] A.K. Mok, Fundamental design problems for the hard real-time environments, Ph.D. Thesis, MIT, 1983.
[31] A.M. Odlyzko, Enumeration of strings, in: A. Apostolico, Z. Galil (Eds.), Combinatorial Algorithms on Words, in: NATO Advance Science
Institute Series. Series F: Computer and Systems Sciences, vol. 12, Springer-Verlag, 1985, pp. 205–228.
[32] S. Pailler, A. Choquet-Geniet, Off-line scheduling of real-time applications with variable duration tasks, in: Proc. of 7th Workshop on Discrete
Event Systems, 2004, pp. 373–378.
52 D. Geniet, G. Largeteau / Theoretical Computer Science 388 (2007) 26–52
[33] A. Paz, Introduction to Probabilistic Automata, Academic Press, 1971.
[34] L. Sha, R. Rajkumar, J. Lehockzy, Priority inheritance protocols: An approach to real-time synchronisation, IEEE Transaction Computers 39
(9) (1990).
[35] I. Sommerville, Software Engineering, Addison-Wesley, 2004.
[36] L. Thimonier, Generating functions and random words, The`se d’e´tat, Univ. Paris 11, October 1988.
[37] J. Xu, D.L. Parnas, Scheduling processes with release times, deadlines, precedence and exclusion relations, IEEE Transactions on Software
Engineering 16 (3) (1990) 360–369.
