Discretely synchronized, distributed real-time systems may su er from a time discontinuity problem in that local clocks observe the disappearance or reappearance of time intervals. This problem occurs since traditional discrete clock synchronization algorithms adjust local clocks instantaneously. Such time discontinuities may lead to run-time faults due to the loss or gain of critical time points such as task release times and deadlines.
Introduction
Distributed real-time systems must have the notion of a global clock which serves as a common time base that enables the run-time system to monitor the order of event occurrences, measure time durations, and schedule real-time tasks in spatially distributed nodes 4, 7] . However, due to various sources of clock errors including clock drifts and clock reading errors, a perfect global clock would never exist in the real world. This gives rise to a variety of clock synchronization techniques in the literature 5, 8, 17, 12] . They include Interactive Convergence Algorithm (CNV) 8], Interactive Consistency Algorithm (COM, CSM) 8], and Fault Tolerant Average Algorithm (FTA) 5]. These algorithms rely on an assumption that each node in a distributed system possesses a local clock whose drift rate is bounded. Based on this assumption, they can maintain an imaginary global clock with known accuracy by periodically synchronizing local clocks in the system. While these algorithms focus on fault tolerance so as to make the system functional in the presence of the bounded number of clock failures, relatively little e ort has been put into problems that may arise during the application of clock synchronization to distributed real-time systems. These problems have something to do with the implementation of clock synchronization algorithms. In discrete (instantaneous) clock synchronization, at every synchronization period, a node computes an approximate correction and adjusts its clock using this computation. This incurs abrupt changes in local time, thus yielding time discontinuities. Since such a discontinuity leads to the loss or gain of time amounting to the correction in local clock time, important time points such as release times and deadlines of tasks may disappear or reappear, which in turn results in run-time faults.
The potential problems of time discontinuities were partially addressed in 8, 5, 18] . To avoid negative measurements caused by backward correction 5], Srikanth et. al. 18] proposed to always set a clock to a value greater than the current time. Obviously, since this still allows the loss of time due to forward correction, events scheduled in the lost interval can disappear. A su cient solution to the time discontinuity problem is continuous clock synchronization 8]. In continuous synchronization, a node spreads out a correction value over a nite interval by speeding up or slowing down its clock rather than instantaneously updating it. However, since it requires that clock values be adjusted every clock tick, this approach incurs an excessive run-time overhead if implemented in software. Thus continuous synchronization is generally implemented in hardware using a phase-locked loop 17, 2, 3, 6] .
Where continuous clock synchronization hardware is not available, or where software clock synchronization is desirable, perhaps, for a reduced cost, we need to use a discrete clock synchronization technique in spite of the time discontinuity problem. In this paper, we propose a constraint transformation for equi-continuity (CTEC) that can e ectively solve the time discontinuity problem in discrete clock synchronization. The CTEC dynamically modi es timing constraints such as release times and deadlines of real-time tasks when local clocks need to be adjusted every synchronization period. The CTEC working as an added run-time component of discrete clock synchronization moves timing constraints out of correction intervals. In doing so, it makes use of a mapping derived from continuous clock synchronization in order to exploit its continuity property.
The CTEC also solves a clock skew problem. Even though a task completes before its deadline in its local clock time, one cannot be sure, due to clock skew, if the task has met its true deadline in reference time. A similar problem was partially addressed in 1] by Baruah et al. They proposed to model clock skew as a special case of arrival jitter and incorporated it into schedulability analysis for periodic tasks. We take a simpler approach than 1]. Our CTEC tightens up task deadlines and release times by the maximum clock skew as determined by a clock synchronization algorithm. This simple transformation enables real-time tasks to tolerate variable but bounded clock skew for timing correctness.
The CTEC possesses a very important merit: even after applying CTEC to a task set, one can safely rely on the result of schedulability analyses performed on the original tasks. We formally prove this property by showing that for a given task set, discrete clock synchronization with CTEC yields the same task schedule as continuous clock synchronization. To the best of our knowledge, this is the rst approach that solves the time discontinuity problem of discrete clock synchronization without actually modifying discrete clock synchronization algorithms.
In order to show the applicability of CTEC, we have implemented it in the Arx real-time operating system we developed at Seoul National University 15, 16] and performed extensive experiments on a CAN-based distributed platform running Arx. The purpose of the experiments was to show the e ect of time discontinuities in real-world applications and the e ectiveness of CTEC. The experimental results indicate that time discontinuities pose a consistency problem, speci cally in the form of message loss in our experiment case, to the real-world systems. The experimental results also indicate that CTEC is an e ective solution to the problem, while incurring little run-tine overhead. In our implementation of CTEC on a Pentium-based PC, the additional run-time overhead was only 38 machine instructions per real-time task each period.
The remainder of this paper is organized as follows. In Section 2, we discuss traditional clock synchronization techniques, introduce the time discontinuity problem, and de ne a good clock. In Section 3, we describe the CTEC in detail and formally prove its correctness. In Section 4, we present the results of our empirical study on discrete clock synchronization with CTEC. Section 5 concludes this paper.
Traditional Clock Synchronization
In this section we rst give a brief description of the clock model and de ne several essential properties of good clocks. We then describe traditional discrete clock synchronization algorithms and their time discontinuity problem. For this paper, we focus only on external clock synchronization where clocks are synchronized with respect to an external reference clock. It is fairly straightforward to apply our approach to internal clock synchronization where clocks are synchronized with respect to one another.
Good Clocks
Every physical clock has a di erent clock rate from each other due to varying environmental conditions such as temperature and radiations 5]. A local clock C tends to diverge from a reference clock C r . Formally, local clock C is a mapping from reference time t r to local time t. \C(t r ) = t" means that the local clock tells time t at reference time t r . We assume that the inverse mapping of C is a single-valued function, and denote it by c(t) = t r . (Notations used throughout the paper are summarized in Table 3 Note that a good clock is de ned with respect to a reference clock. In external synchronization, a reference clock is de ned to be a unique external clock. It could be any physical clock set aside for an application system or any of existing time standards such as the International Atomic Time (TAI) and the Universal Time Coordinated (UTC) 4]. On the other hand, in internal clock synchronization, it can be an imaginary clock determined by a clock synchronization algorithm. For example, in internal synchronization using the CNV algorithm 8], the reference clock time is the average of local clock times. Throughout the paper, reference time t r is used in specifying the timing constraints of real-time tasks and enforcing timing correctness. 1 Di erentiable except for a negligible set of points in the reference time, e.g., a countable set of points.
Discrete Clock Synchronization
Due to a non-zero drift rate, a physical clock deviates from the reference clock. The di erence between the two clock readings at t r , denoted by (t r ), is referred to as clock skew.
(t r ) = C r (t r ) ? C(t r ) = t r ? C(t r ) (1) To bound clock skew, discrete clock synchronization algorithms periodically synchronize local clocks to the reference clock. Figure 1 illustrates discrete clock synchronization. Let T clk denote the synchronization period in reference time, and kT clk denote the k th synchronization instant. At every kT clk for k 0, a discrete clock synchronization algorithm computes correction k and applies it to a local clock. Thus, the local clock drifts apart only for a nite period of time until the next synchronization occurs. Since the drift rate is bounded, so is the clock skew. Let C d and t d denote a discretely synchronized clock and its clock time, respectively. Note that C d is constructed from physical clock C by a clock synchronization algorithm. If we ignore the time overhead needed for clock synchronization, the discretely synchronized clock can be represented as follows. 
Problems with Discrete Clock Synchronization
Discrete clock synchronization is frequently used in practice since it does not require special hardware devices. However, discrete clock synchronization causes the time discontinuity problem which may confuse the run-time system into making a wrong judgment on real-time tasks. For example, consider a situation depicted in Figure 2 . Suppose that a task has a deadline at time 19. At time 18, the current synchronization period began. In the gure, the task was running at that time, and the local clock was corrected by +2 time units since it lagged behind the reference clock by two time units. This made the local clock advance to time 20 abruptly and the deadline happens to disappear. As a result, the running task missed its deadline.
Apparently, time discontinuities occur since discretely synchronized clock C d is not a good clock.
The discrete clock synchronization algorithm makes an instantaneous update to a local clock using correction k computed every synchronization period. We call such a discontinuous interval seen by the local clock a correction interval. In Figure 1 , the interval labeled as 2 is the correction interval of the second synchronization period. If k is positive, there is a loss of time amounting to k in local time. As in Figure 2 , deadlines in a positive correction interval will disappear and may result in incorrect task scheduling. Similarly, if the release time of a task disappears, it may lose a chance of getting dispatched. We refer to this phenomenon as constraint disappearance.
On the other hand, if k is negative, constraints in a correction interval will appear again. This is called constraint reappearance. If the release time of a task lies in a negative correction interval, the run-time system will think that the current task instance violates the release time constraints. 
Continuous Clock Synchronization
To avoid the problem of time discontinuity, continuous clock synchronization was suggested in 5, 8] . A continuously synchronized clock can be realized by spreading out a correction over a synchronization period. Since a continuous clock uses the same correction information as a discrete clock, a continuous clock function can be easily derived from a discrete clock. To distinguish continuous clocks from discrete ones, we denote a continuous clock and its local time by C c (t r ) and t c , respectively. For a given discrete clock, there exist many mappings that generate continuous clock functions. We choose the following mapping as a clock function C c (t r ) for the k th synchronization. This mapping is obtained by subtracting correction k from the discrete clock C d in Eq. (2), and spreading it uniformly over the synchronization interval kT clk ; (k + 1)T clk ) for k 0.
where C d ((k + 1)T clk ?) denotes its left hand limit, lim tr!((k+1)T clk ?) C d (t r ).
Though C c (t r ) is a continuous function, a clock using C c (t r ) cannot be said to be a good clock
can be less than 0. In such a case, C c (t r ) fails to meet the monotonicity requirement. However, in almost all practical cases, we have (1+ One can easily show that the clock skew between C c and C r is bounded. Due to the space limitation, we do not include a formal proof of this property. Instead, we show that C c (t r ) satis es the properties of good clocks. Theorem 1. The continuously synchronized clock C c is a good clock if the underlying physical clock C is a good clock and T clk > j k j+2 for k 0; that is, C c satis es the following conditions.
(P1) C c is continuous.
(P2) The drift rate of C c is bounded.
(P3) C c is monotonically increasing.
Proof. See Appendix A.
Note that the continuous clock function in Eq. (4) includes a future term C d ((k + 1)T clk ?) which cannot be determined at the k th synchronization instant. Fortunately, we can easily eliminate C d ((k + 1)T clk ?) from Eq. (4) by a simple approximation. Since T clk , we have
This mapping will be used for CTEC in the remainder of the paper. Continuous clock synchronization using Eq. (5) can be implemented in software by changing the clock value every clock tick. Obviously, this incurs too much run-time overhead to be used in practice. A plausible solution is to use a dedicated hardware device. To this end, we can use a frequency synthesizer based on the phase-locked loop (PLL) technique. We do not delve into this issue since it is beyond the scope of this paper. Interested readers are referred to 14, 2, 6, 3].
Constraint Transformations for Discrete Clocks
We have shown that a continuously synchronized clock using the mapping given in Eq. (5) is a good clock, thus it can avoid the time discontinuity problem. We have also shown that continuous clock synchronization is appropriate only for hardware implementation because of its excessive run-time overhead. In this section we present an alternative approach to the time discontinuity problem. The proposed solution uses a run-time constraint transformation technique we name a constraint transformation for equi-continuity (CTEC).
Task Model
Before describing the CTEC, we rst de ne our task model and its associated timing parameters. A periodic task i is subject to three timing constraints, a periodicity constraint, a release time constraint, and a deadline constraint. They are represented by hT i ; r i ; d i i, respectively. The j th instance of i is denoted i;j , and its absolute release time and deadline are denoted R i;j and D i;j , respectively. R i;j = jT i + r i ; D i;j = jT i + d i : (6) We also de ne additional notation for timing values which are determined at run-time. The actual computation time of task instance i;j is denoted e i;j . We assume that e i;j is bounded for all j and denote its maximum by e i . The actual start time and the nish time of i;j are denoted S i;j and F i;j , respectively. All of these timing parameters are speci ed in reference time. When they Tasks on the same node are scheduled by local scheduler (C x ; y) which uses local clock C x and scheduling policy y. For example, if the scheduler uses C c and the EDF policy 11], it is represented by (C c ; EDF).
Constraint Transformation for Equi-Continuity
The CTEC consists of two steps. The rst step is an o -line transformation that is applied once to a given task set. It tightens up task timing constraints so that tasks can tolerate the maximum amount of clock skew as speci ed by a clock synchronization algorithm. Note that a non-zero clock skew may prevent the run-time system from ensuring tasks' true timing constraints speci ed in reference time. As an illustration, consider a scenario depicted in Figure 3 . At time D i;j in reference time, task i;j is running and the local clock C c lags behind the reference clock C r by . At local time F c i;j , task i;j completes its execution. Since the nish time F c i;j is earlier than the deadline D i;j in local time, the local scheduler gets confused and believes that i;j meets its deadline, although it has in fact already missed its true deadline. We can easily avoid such an incorrect timing check by tightening up timing constraints by before making a schedulability analysis. This simple transformation of timing constraints is the rst step of CTEC.
Step Note that period constraints need not be changed by CTEC. Since the clock synchronization algorithm keeps the clock skew bounded by a constant value , the frequency of task invocations does not di er in both local time and reference time.
In the second step, the CTEC dynamically modi es the timing constraints of tasks in such a way that no timing constraints lie in a correction interval in local clock time. For instance, if a deadline constraint lies in a correction interval, the proposed approach maps the deadline to a time 
This mapping is used in Step 2, as below.
Step Note that Step 2 can successfully avoid time discontinuities by remapping timing constraints always to those outside correction intervals. In Figure 4 , b t z is moved to b b t z outside the correction interval. Note also that the mapping satis es condition (C1). Since is monotonic, the ordering of timing constraints is not changed. We summarize CTEC below by composing its two subsequent transformations.
CTEC: i;j
Step 1 =) c i;j
Step 2 =) c c i;j : R i;j
Step 
Schedulability Analysis and CTEC
It looks extremely di cult to perform a schedulability analysis on a CTEC-transformed task set, since task timing constraints are modi ed at run-time. However, in reality, it is very straightforward to do so, since we can use the result of a schedulability analysis made with a continuous clock. Note that CTEC emulates the task scheduling performed with a continuous clock. During a schedulability analysis, we only need to take into account the clock skew of local clocks. Clock skew is handled by Step 1 anyway.
We formally prove this essential property by showing that CTEC with discrete clock synchronization yields the same task schedule as continuous clock synchronization. 
c c ( d
Proof. See Appendix B. Theorem 2 states that the schedulability of a CTEC-transformed task set can be equivalently tested with c i;j . Note that the constraints of task c i;j are obtained o -line by Step 1 and xed at run-time, and that C c has the properties of a good clock. Thus, we can use any of existing schedulability tests found in the literature 11, 9, 10] . This shows that condition (C2) is satis ed.
Numerical Example
As a walk-through example of CTEC, we consider a periodic task i whose timing parameters are given below. Step II: With the correction = 210 s, mapping is derived as follows. 
Empirical Study
In this section we provide an empirical evidence that time discontinuities possibly incur timing faults in real world environments, and that the proposed CTEC solves this problem with little runtime overhead. Our experiments were performed on a CAN-based distributed platform running the Arx real-time operating system 15]. We extended Arx to support external clock synchronization with CTEC. Results taken from our experiments under various workloads show that timing faults increasingly occur as the system utilization approaches a breakdown utilization, and that CTEC successfully eliminates such timing faults. Particularly, the results also indicate that CTEC can e ectively reduce run-time faults with little run-time overhead when the system experiences transient overload.
Experimental Setup
Our distributed platform consisted of three Pentium PC's interconnected with the 1Mbps CAN (controller area network) bus. The CAN protocol is capable of guaranteeing bounded message transfer latencies via predictable, priority-based bus arbitration. Each PC was equipped with a CAN interface board possessing a Philips SJA1000 controller. We have written a CAN board driver and incorporated it into Arx. For more details about the CAN protocol and its chipsets, readers are referred to 19, 20] .
CAN interface board with SJA1000T CAN bus 1 Mbps
Figure 6: Experimental platform with three Pentium PC's connected via CAN.
We have implemented the central master synchronization protocol which is a variant of an external synchronization algorithm 4]. The periodic synchronization activity of the protocol was performed by two kernel-level threads, initiator and synchronizer, as illustrated in Figure 7 . The initiator which ran in the master node periodically broadcast the current clock value. Upon receiving a synchronization message from the initiator, the synchronizer in the slave node computed a correction and updated its clock. The CTEC was implemented as an independent module that was called by the thread scheduler. When invoked, it reads a correction value and transforms the most imminent timing constraint. The extra overhead by CTEC is merely 38 machine instructions per transformation on a Pentium processor. The clock synchronization parameters used in our experiments are given in Table 1 . The synchronization period T clk was chosen to guarantee a clock skew of 213 s, as shown below. 
Experimental Results
Through our experiments, we intended to show that time discontinuities pose consistency problems to distributed real-time applications. One of such problems arises when a producer/consumer task pair communicates with each other via time-triggered messages 4, 13]. Speci cally, consider a periodic producer/consumer task pair where each of the tasks is allocated in a di erent node and scheduled independently by a local scheduler. They use a receive queue on the consumer's side for communication. A message from the producer is written into the receive queue by a CAN controller, and the consumer periodically reads from the queue. To enforce timely message transfers between a producer and a consumer, the consumer's release time is chosen to be greater than the producer's deadline by the maximum message transfer delay. This is illustrated in Figure 8 where w denotes the maximum message transfer delay. In this setup, a deadline miss of a producer may prevent a consumer from receiving a timely message and force the consumer to read an old message from the receive queue. Since a belated message may well be overwritten before being used, we call such a message a lost message.
For the experiments, we generated periodic task sets consisting of 10 producer/consumer pairs. Task timing parameters were obtained via a uniform probability distribution with parameters shown in Table 2 . We ran each task set for 60 synchronization periods (600s) and measured the number of message losses. Also, to observe the varying impact of CTEC under di erent workloads, we generated task sets with distinct utilizations U (= P i e i T i ) by varying task execution times. We draw a graph in Figure 9 to compare the number of message losses with and without CTEC under varying utilizations. We categorized the generated task sets into three classes depending on their producer tasks' utilization and analyzed the impact of CTEC under these classi ed workloads. Note that we considered the utilization of only producer tasks since deadline misses of producers
Min. 20ms 0ms 10ms Max. 40ms 40ms 40ms Table 2 : Distributions of task timing parameters (r i < d i < T i ).
were a main source of message losses. The rst class included those task sets whose utilization was less than 0.4653, and the third class included those whose utilization was greater than or equal to 0.4746. The second class included task sets in between. Without CTEC, we were able to observe message losses when the workload exceeded U = 0:4653. Such message losses were resulted from clock skew and time discontinuities. Without CTEC, and even with CTEC, we were able to observe the increased number of message losses when the workload exceeded U = 0:4746. Such message losses were in large part due to genuine deadline misses. In our experiments, U = 0:4746 was a breakdown utilization. As de ned in 9], a breakdown utilization is a schedulable utilization bound for a task set. The breakdown utilization in our experiments was much less than the rate monotonic bound since tasks used in the experiments had positive release time constraints and tight deadlines. We summarize our discussions on the experimental results as below.
Light load case (U < 0:4635): No message losses were observed in this case regardless of the use of CTEC. This is because the clock skew in our experimental environment was relatively small and because deadline disappearance did not lead to a deadline miss. A deadline miss occurs only when a task is running at the very moment its deadline disappears. This occurs very rarely when a system is lightly loaded. Note that in Arx the deadline disappearance itself does not a ect the system's operation unless it leads to a deadline miss.
Medium load case (0:4635 U < 0:4746): When the system utilization approaches the breakdown utilization, task sets without CTEC yielded message losses, whereas those with CTEC did not lose any message.
Heavy load case (0:4746 U): As the CPU got overutilized, both task sets with and without CTEC yielded many message losses. Still, CTEC signi cantly helped reduce the number of lost messages. In particular, when U > 0:54, CTEC eliminated about a half of message losses. This indicates that CTEC is very bene cial in keeping a system stable while the system experiences a transient overload. Note that CTEC adds very small run-time overhead to the system. 
Conclusion
We have presented a timing constraint transformation technique CTEC to avoid time discontinuities in discrete clock synchronization. The CTEC working as a run-time component invoked by the thread scheduler remaps timing constraints to those outside correction intervals. In doing so, it makes use of a mapping derived from continuous clock synchronization. The CTEC proposed in this paper allows for several bene ts: (1) it can be e ectively implemented in software with little run-time overhead since it does not change discrete clock synchronization algorithms; and (2) it does not sacri ce the analyzability of a CTEC-transformed task set, although task constraints are dynamically modi ed. We have formally proved the correctness of CTEC by showing that the CTEC with discrete clock synchronization generates the same task schedule as continuous clock synchronization.
In order to show the e ectiveness of CTEC, we have implemented it and performed extensive experiments on a distributed platform based on the CAN bus. In our experiments using producer/consumer tasks, we measured the number of message losses between producers and consumers with and without CTEC. Our experimental results indicate that time discontinuities signi cantly contribute to message losses when a system gets fully utilized. CTEC will be very bene cial in reducing message losses when a system experiences a transient overload.
There are several future research directions. We are currently extending the proposed approach to deal with synchronization faults. If a node experiences transient faults for several synchronization periods, its local clock may deviate beyond a speci ed bound. In such a case, a new continuous mapping should be chosen to take into account the missed synchronization periods, and CTEC should be modi ed accordingly. In addition, we are also seeking to nd other applications that may be bene ted from CTEC. For example, in applications where obtaining correct time stamps for occurred events is important, a negative correction may lead to the incorrect temporal ordering of events. The equi-continuity and monotonicity properties of CTEC will be useful in those applications.
Using Eqs. (4) and (2), we also have This proves the desired result.
(P3) The monotonicity property directly follows from the fact that C c is continuous as proved in (P1) and the assumption that
Appendix B { Proof of Lemma 1.
Let L be a set of all the periodic task instances in T such that L = f i;j j i 2 T and j 0g. We de ne priorities among task instances i;j 2 L such that i;j inherits the priority of i at its j th period. Ties are broken by choosing a task with the earliest absolute release time. For instance, if EDF is used, the priorities are obtained according to the absolute deadlines of task instances. We de ne L m be a priority ordered subset of L such that L m contains m highest priority task instances taken from L. We relabel task instances in L m such that L m = f a 1 ; a 2 ; : : : ; a m g where a 1 has the highest priority. For notational convenience, we denote the execution time of a i by e i which is measured with reference clock C r .
We de ne availability function (t r ; L m ; ( )) as below. n ) = t r;2 . The start time t r;1 of c a n is the rst idle time point no earlier than the release time of c a n . The nish time t r;2 is determined by the execution time of c a n and the availability function. We restate t r;1 and t r;2 formally as below. 
We compare Eq. (10) The converse, or the \only if" part, is proved in the same manner.
