A system based on a hierarchical scheduler is a system in which the processor is shared between several collaborative schedulers. Such schedulers exist since 1960 and they are becoming more and more investigated and proposed in reallife applications. For example, the ARINC 653 international standard which defines an Ada interface for avionic real time operating systems provides such a kind of collaborative schedulers. This article focuses on the modeling and the performance analysis of hierarchical schedulers. We investigate the modeling of hierarchical schedulers with AADL. Hierarchical scheduler timing and synchronization relationships are expressed with a domain specific language based on timed automata: the Cheddar language. With the meta CASE tool Platypus, we generate Ada packages implementing the Cheddar language. These Ada packages are part of Cheddar, a real time scheduling simulator. With these Ada packages, Cheddar is able to perform analysis by scheduling simulation of AADL systems composed of hierarchical schedulers. An AADL model of the ARINC 653 hierarchical scheduling is described as an illustration.
INTRODUCTION
In [32] , we presented Cheddar, a set of Ada packages which aims at performing analysis of real time applications. This Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. set of packages includes analytical scheduling tools and most of classical scheduling simulation algorithms. It also provides a domain specific language called the Cheddar language. The Cheddar language allows the designer to define new schedulers which are not already implemented into the Cheddar framework. The Cheddar framework offers a set of tools (eg. interpreters) for such user-defined schedulers.
Cheddar is able to perform analysis on AADL specifications. The SAE Architecture Analysis and Design Language (AADL) is a textual and graphical language support for model-based engineering of embedded real time systems that has been approved and published as SAE Standard AS-5506 [14] . AADL is used to design and analyze the software and the hardware architecture of embedded real-time systems.
In [33] , we explained how performance analysis can be performed with Cheddar on AADL specifications when threads are scheduled with usual schedulers such as Rate Monotonic or Earliest Deadline First. This article presents the support of hierarchical schedulers with AADL and Cheddar. A system based on a hierarchical scheduler is a system in which the processor is shared between several collaborative schedulers. With the current AADL standard and with the current Cheddar implementation, such a scheduler is difficult to model and analyze.
Hierarchical scheduling has been initially proposed in the context of time sharing systems. In time sharing systems, hierarchical schedulers were proposed in order to define userlevel scheduling policies (eg. fair process scheduling [20] or user-level and kernel-level threads scheduling into Solaris [36] ). If user-level scheduling capability stays a motivation for the use of hierarchical schedulers, system designers mostly focus on hierarchical scheduling in order to reduce system design cost and to increase the sharing resource efficiency. Today, it is usual to share a processor by several applications. This allows old applications to run efficiently on newer processors without beeing re-designed (eg. re-design of the scheduling). Applications sharing a processor can have different resource requirements. For example, in a real time multimedia application, a given scheduler may support critical tasks for audio and video presentation while uncritical tasks can be managed by a different scheduler which does not provide deterministic task response time. The queueing based hierarchical scheduling features proposed by POSIX 1003 or Ada 2005 allow such a differentiated class resource allocation [28, 26, 29, 7, 16] Unfortunately, real time hierarchical schedulers also raise two difficult challenges.
1) The first challenge is related to the large number of hier-archical schedulers which were proposed. These hierarchical schedulers have complex and different ways to perform communication and synchronization relationships between the schedulers and the tasks [4] . It is also difficult to express scheduler requirements and behaviors in order to combine themself for example [21, 27] . In contrary to the usual schedulers such as Earliest Deadline First or Rate Monotonic, it is difficult to implement into the Cheddar framework a set of hierarchical schedulers satisfying most of system designer needs. In the context of hierarchical schedulers, the approach proposed by Cheddar is to provide a programming language which eases the design and the implementation of hierarchical schedulers.
2) The second challenge is related to the availability of analytical methods for hierarchical schedulers: there is currently few feasibility tests in the context of real time hierarchical scheduling [1, 12, 30, 10] . A feasibility test is an analytical method which is able to predict before task execution if a given system will meet its task timing requirements. Building feasibility tests is usually a difficult work and it is more complex for hierarchical schedulers. When no feasibility test exists for a given hierarchical scheduler, Cheddar can be used to perform scheduling simulation. In this case, the scheduling simulation tool has to be efficient (low memory footprint and high response time) in order to run large simulations.
The Cheddar language was formerly introduced in [32] . This language made it possible the design of user-defined schedulers with fixed timing and synchronization relationships between tasks and schedulers. A program written with the Cheddar language is organized in sections. A section is a kind of Ada sub-program. The former Cheddar scheduling simulation engine assumed a fixed order for the execution of such sections: this fixed order was modeling the fixed timing/synchronization relationships between tasks and schedulers.
In this article, we propose to extend the Cheddar language and its tools (editor, interpreter and compiler) in order to design hierarchical schedulers with AADL. This new Cheddar language allows the designer to model any synchronization and timing relationships between the tasks and the schedulers. Tasks and schedulers relationships are modeled with timed automata [13, 3] . The abstract semantic of the Cheddar language is modeled with the meta CASE tool Platypus. From this Cheddar language model, Platypus is able to generate Ada packages which implement tools such as Cheddar program compiler or interpreter.
Timed automata are frequently used to express timing and synchronization requirements of real time systems. There is some experiments to model and verify real time schedulers with timed automata [2, 35, 19] . Numerous tools exist (editors, simulators and model-checkers such as UPPAAL [5] or Esterel Studio [6] ) and some standards are also based on such a formal model (eg. UML Statecharts [11] ).
Timed automaton is also the formal model chosen by the SAE AADL standard committee to express AADL behavioral properties in the next release of the AADL standard [15] and first experiments on the verification of AADL specifications with timed automata were presented recently [8] . By extending the Cheddar language with a timed automaton model similar to the one investigated by the SAE AADL committee, the work presented in this article is then a first 
a r t i t i o n 2 : p r o c e s s p a r t i t i o n 2 . Impl; p r o p e r t i e s
Actual Processor Binding = > r e f e r e n c e a r i n c a p p l i e s to p a r t i t i o n 1 ; Actual Processor Binding = > r e f e r e n c e a r i n c a p p l i e s to p a r t i t i o n 2 ; end au to arin c. Impl; contribution to the scheduling analysis of AADL specifications using AADL behavioral features [15] .
This article is organized as follows. The sections 2 and 3 are devoted to the AADL modeling of hierarchical scheduler based systems. The section 2 focuses on the architecture point of view while the section 3 focuses on the timing and the synchronization point of view. In section 4, we describe what kind of analysis the AADL designer can expect with Cheddar on such AADL specifications. We also explain how Ada packages implementing analysis tools are generated from an AADL specification. Finally, we conclude and give future works in section 5.
MODELING HIERARCHICAL SCHEDULERS WITH AADL
An AADL specification describes both the hardware part and the software part of a real time system [14] . An AADL specification is a set of components such as shared data, threads, processes (the software side of a specification), processors, devices and busses (the hardware side of a specification).
In the sequel, we focus on thread, process and processor components. A thread is a sequential flow of control that executes a program. An AADL thread may be implemented by an Ada task. AADL threads can be woken up according to several policies: a thread may be periodic, sporadic or aperiodic. An AADL periodic thread is woken up at a regular time interval. This time interval is called a "period". In the case of a sporadic thread, a minimum inter-woken up time interval is considered. An aperiodic thread may be woken up at any time. An AADL process models a virtual address space. In the most simple case, a process simply owns threads and shared data. Finally, a processor is the execution platform component which is capable of scheduling and executing threads.
An AADL specification also contains component connections and component properties. Component connections model component relationhips such as thread precedency constraints, message exchanges or shared data access. Component properties store component information which is related to the component behavior or the way the component will be implemented in the target system. A property is defined by a name, a value and a type. For example, a thread component property may store the Ada package file name in which the Ada task implementing the AADL thread will be defined. The designer can define properties with most of the AADL components. If AADL defines standard properties, AADL also allows the designer to define its own properties. Figure 1 shows a part of an AADL specification modeling a simple ARINC 653 avionic system. ARINC 653 provides space and time partitioning when several applications share the same processor and the same memory unit. An ARINC 653 system is then a set of applications called partitions. Each partition is composed of tasks. The processor sharing is made according to a two-levels hierarchical scheduling:
1. The partitions are cyclically activated. This first level of scheduling is fixed at design time: it is usually statically computed.
2.
The second scheduling level is related to the task scheduling: tasks of a given partition are scheduled all together with a fixed priority scheduler. This thread scheduling is an online scheduling.
The ARINC 653 model of the figure 1 specifies a set of AADL periodic threads (threads T 1.Impl, T 2.Impl, ..) modeling ARINC 653 tasks. The timing behavior of each thread is defined by a set of properties such as P eriod, Deadline or Cheddar P roperties ::F ixed P riority. P eriod and Deadline are AADL standard properties. The P eriod property stores the fixed delay between each thread wake up time. The Deadline expresses the timing constraint the thread has to meet. Finally, Cheddar P roperties :: F ixed P riority is an example of AADL property proposed by Cheddar in order to apply real time scheduling analysis tools. This Cheddar property assigns a fixed priority for each thread of the modeled system. Such a priority attribute is used by fixed schedulers such as Rate Monotonic [23] .
The AADL specification of figure 1 also defines two AADL processes which model two ARINC 653 partitions (partition1.Impl and partition2.Impl).
The Actual P rocessor Binding property is a usual AADL way to express that the two processes are run on the same processor: the arinc.Impl processor. With AADL, each processor owns a scheduler. The standard AADL Scheduling P rotocol property stores the name of the scheduling protocol describing how the processor time is shared between threads. With AADL/Cheddar, when a hierarchical scheduler is modeled, the designer has to provide a Scheduling P rotocol property for both processes and processors. Since this feature is not AADL V1.0 compliant, a Cheddar specific property is then defined. In this example, for the arinc processor and for the partition1.Impl process, the Scheduling P rotocol property contains Automaton User Def ined P rotocol which indicates that the scheduler is a user-defined scheduler modeled by a Cheddar program (eg. a timed automaton). Finally, each timed automaton has a name which is specified by the Cheddar P roperties::Automaton Name. In the AR-INC example, partition1 scheduler is the name of the timed automaton modeling the timing/synchronization behavior of the thread scheduler of partition 1 and processor scheduler is the automaton name of the scheduler modeling the sharing of the processor time between the two ARINC partitions.
In the next section, we give some details about the timing and the synchronization specification of these schedulers. 
MODELING HIERARCHICAL SCHEDULER BEHAVIOR WITH CHEDDAR
In this section, we give an overview of the Cheddar language. A complete description of the language can be found in [31] . The use of the Cheddar language is then illustrated by the example of the ARINC 653 model of the section 2.
Outline of the Cheddar language
The Cheddar language is defined by two parts : a small Ada-like language and a timed automaton language.
A small Ada-like language
This small Ada-like language is used to express computations on simulation data. Simulation data are constants or variables used by the scheduling simulator engine of Cheddar in order to run scheduling simulations. Examples of such simulation data are task wake up times or task priorities. A Cheddar program is organized in sections. A section is a kind of Ada sub-program composed of several statements. Most of the time, a Cheddar program is composed of the following sections [32] : a start section which contains variable declarations and initializations ; a priority section which contains the code to compute simulation data on each unit It also provides statements, types and operators which are more specific to the design and the debug of scheduling algorithms. For example, the unif orm/exponential statements customize the way random values are generated during simulation time ; the lcm operator computes last common multiplier of simulation data ; finally, the max to index operator looks for the ready task which has the highest value for a given array of simulation data. The detailed Backus-Naur Form syntax of this language is given in [31] .
A timed automaton language
A Cheddar program can contains a set of timed automata similar to those proposed by UPPAAL [13, 3, 5] . UPPAAL is a toolbox for the verification of real time systems. A system is then modeled as a network of several timed automata extended with variables. A state of the system is defined by the locations of all automata, the clock constraints, and the values of the variables. Every automaton may fire a transition separately or synchronize with another automaton, which leads to a new state. Transition may be guarded with time constraint. Finally, delays can express time consumption at transition firing. In Cheddar, these timed automata allow to model timing and synchronization behaviors of schedulers. Automata may run Ada-like sections, read or write simulator data.
Cheddar program examples: an illustration with the hierarchical ARINC scheduler
In section 2, we described with AADL the architectural point of view of an ARINC model made with a set of collaborative schedulers (process schedulers and processor schedulers). This section shows how the Cheddar language can be used to express timing and synchronization relationships between such ARINC partition schedulers and ARINC task schedulers.
The ARINC 653 hierarchical scheduler is modeled by a set of Cheddar programs. A textual representation of those pro- The automata modeling the thread scheduling of each partition have three types of location:
1. the P ended locations. From these locations, the partitions can not get access to the processor in order to run one of their thread.
2. the W ait P riority and the Ready locations. If a partition is in one of these locations, it is allowed to run one of its thread. W ait P riority is an intermediate location from which the scheduler computes thread priorities. AADL thread priorities are computed by the partition1 priority section during the firing of the W ait P riority outgoing transition (see the Cheddar program of section 8.1). The Ready location chose the AADL thread to run during the next unit of time. To find the next thread to run, the Cheddar program interpreter calls the partition1 election section during the firing of the Ready outgoing transition.
The partition scheduler automaton (see figure 4 ) models the cyclic partition activation: in this example, the partition scheduling is made on a 10 units of time cycle. Each cycle, the partition 2 is activated during the 6th first units of time and the partition 1 is activated during the 4th last units of time. The partition 2 schedules critical periodic tasks according to Rate Monotonic whereas the partition 1 schedules a set of uncritical tasks according to a round-robin scheduler. The partition scheduler enforces timing isolation between the two partitions which have different processor resource requirements.
The last automaton (see figure 5 ) models the scheduling engine of Cheddar: this Cheddar program is a part of the Cheddar program interpreter which drives scheduling simulations.
Besides the sections which store timed automaton modeling timing and synchronization behavior, a Cheddar program also contains sections to perform arithmetic/logic statements (eg. to compute task priorities), to do initializations and to select the task to run at the next unit of time.
In the case of our ARINC 653 model, the section start1 of the program depicted in section 8.1 does some initializations ; the partition1 priority of the section 8.1 computes task priorities according to a round robin scheduling with a 2 units of time quantum ; finally, the section partition2 election of the section 8.2 shows how to select the next highest priority task to run.
PERFORMANCE ANALYSIS OF A CHEDDAR PROGRAM MODELING HIERARCHICAL SCHEDULERS
Scheduling simulation consists in predicting for each unit of time, the thread to which the processor should be allocated. Checking if threads meet their deadlines can then be performed by analysis of the computed scheduling. When AADL specifications only contain periodic AADL threads and for some real time schedulers such as Rate Monotonic, scheduling simulations can prove that AADL threads will meet their deadline. For such a proof, the designer has to run the scheduling simulation during a time interval called the scheduling period (sometimes called schedule length, base period, major cycle or hyper period). If the AADL specification is composed of periodic AADL threads which arrive in the system at the same time, this scheduling period can be computed by [22, 9] :
where k is the time when all AADL threads request the processor for the first time (eg. thread arrival time), Pi is the period of the thread i and LCM is the last common multiplier of all AADL thread periods of the system. If the system designer run a scheduling simulation from the time k to the time k+2 * LCM (∀i : Pi) and if no thread deadline are missed during such a scheduling period, then, no deadline will be missed during all the thread scheduling.
From a Cheddar program which models a hierarchical scheduler, we generate Ada packages which are part of the Cheddar framework and that allow the designer to run scheduling simulation. Let see now how such Ada packages are generated.
From Cheddar programs to scheduling simulations
As depicted by figure 6, a new scheduler described by a Cheddar program can be designed and directly interpreted using the Cheddar environment. This feature eases the design step and allows the user to perform small scheduling simulation. But scheduling simulation tools have to be efficient in order to run large simulations. They must have a low memory footprint and a high response time. When the design step is over, the Cheddar program specifying a new scheduler can be handled by a code generator that produces a set of Ada packages. Then, a new Cheddar version that integrates the new scheduler as a builtin one can be compiled. The new Cheddar environment can then run efficient scheduling simulations with the new user-defined scheduler.
The Ada package generator is implemented within Platypus. Platypus [25] is a meta-environment suitable for model driven engineering activities. It allows meta-model specification describing meta-data hierarchies, integrity and transformation rules definition and also allows conforming data models specification. Meta-models as well as conforming models are specified with the EXPRESS modeling language [18] . The STEP technology [17] is used in order to automatically instanciate meta-models from their conforming models. Then, transformation rules associated to meta-entities can be interpreted in order to generate some target realization such as an Ada package for example.
From a Cheddar program, Platypus generates two different Ada packages: the Ada packages implementing the modeled scheduler and the Ada packages which are part of the Cheddar data access interface (CDAI ) [24, 34] .
The Cheddar data access interface
As shown by figure 7 , the CDAI is a central component of Cheddar. It implements a repository that all other components are using in order to read and write data or meta-data. Mainly, Cheddar user interface and builtin scheduler components are using it in order to get or put simulation data such as processor or task attributes. The Cheddar language compiler and interpreter are using it in order to store Cheddar programs meta-data and to manage computation results. 
The Cheddar program interpreter
The Cheddar program interpreter allows the designer to test Cheddar program. During a scheduling simulation, the Cheddar program interpreter is called at each unit of time in order to evaluate automaton transitions which can be fired. Transition firing may lead to run priority or election sections. Start sections are always run by the simulation engine at simulation start time.
During scheduling simulation, the interpreter maintains a status for each transition of the Cheddar programs. These status can be:
• Guarded: the transition can not be fired due to a transition guard which is not satisfied.
• P ended: the transition is executing a time consumming statement and then, can not be fired until the delay is not elapsed.
• U nreachable: the transition is not allowed to be fired according to the current location of the automaton.
• RendezV ous: the transition can not be fired because the automaton is waiting for synchronization with another automaton.
• Ready: the transition is ready to be fired.
For a given nth unit of time, the Cheddar program interpreter works as follows:
1. It checks and updates the status of each transition:
• A transition which is "pended" stays "pended" if the delay is not exhausted. If its delay is exhausted, the automaton status becomes "ready".
• For all others transitions, their status is set to "ready" immediately. 5.1 To run delay/clock statement. This may lead to compute the next wakeup automaton date and to change its status to "pended".
Instances of the cheddar language meta schema
5.2 To run sections. Section run there can be priority or election sections. If an election section is run, then, the interperter has ended its work for the current unit of time and must switch to the n+1th unit of time.
5.3 And then, to update the current location (transition outgoing location) for all fired transitions except for those which became "pended" at step 5.1.
6. The interpreter restarts at step 1 if at least one transition was fired at step 5. Otherwise, the interperter has ended its work for the current unit of time and must switch to the n + 1th unit of time.
Process to generate Ada packages from a Cheddar program
After a Cheddar program was tested by the interpreter, one can use an Ada code generator in order to compile and integrate the new scheduler into the Cheddar framework. This new compiled Cheddar framework makes it possible to efficiently run time consumming simulations (eg. simulation on large model).
This Ada package generation process is depicted by figure  8 .
The Cheddar program Ada package generator is made of a meta-model named cheddar language meta schema specifying the Cheddar language abstract semantic. It also contains translation rules specifying how to generate Ada packages implementing a scheduler modeled by a Cheddar program.
From the Cheddar language meta-model, the CDAI has been enriched with a dedicated component automatically generated and aiming at Cheddar program metadata handling. Within the repository, Cheddar programs are stored as cheddar language meta schema instances produced by the Cheddar program compiler. In order to generate a user-defined scheduler, Platypus is able to read cheddar language meta schema instances generated by the CDAI and stored as a STEP exchange file and finally, to generate a new scheduler as a dedicated Ada package.
CONCLUSION AND FUTURE WORKS
In this article, we have investigated the modeling and the analysis of AADL specifications containing hierarchical schedulers. We have proposed an extension of the Cheddar language and its tools (editor, interpreter and compiler) in order to support hierarchical schedulers. This new Cheddar language makes use of timed automata [13, 3] and allows the designer to model synchronization and timing relationships between the AADL threads, the schedulers of AADL processors and the schedulers of AADL processes. With the meta CASE tool Platypus, we have designed a meta-model of Ada 95 for Cheddar and a model of the Cheddar language [24, 34] . From these models, we generate Ada packages which are part of the Cheddar scheduling simulation engine. These Ada packages implement a Cheddar program compiler and interpreter. Scheduling simulation analysis can then be performed on AADL specifications with hierarchical schedulers.
An AADL model of the ARINC 653 hierarchical scheduler is described as an illustration.
The SAE AADL committee is currently preparing the next AADL standard release (AADL release V2.0). Such a new release should propose new features related to AR-INC 653. The next AADL release should also propose a timed automaton language in order to express behavioral properties of AADL systems [15] . By extending the Cheddar language with a timed automaton model similar to the one investigated by the SAE AADL committee, the work presented in this article is then a first contribution to the scheduling analysis of AADL specifications using AADL behavioral features [15] . In the next months, we will have to check that a Cheddar program can be actually transformed towards an AADL V2.0 behavioral specification.
ACKNOWLEDGMENTS
Cheddar is an open-source tool (available at http://beru.univ-brest.fr/~singhoff/cheddar/) and many people help the Cheddar team by their advices, bug reports or documentation/source code contributions. The Cheddar team would like to thank all contributors. The list of the contributors can be reached at http://beru.univbrest.fr/~singhoff/cheddar/#Ref7. Cheddar AADL analysis features rely on Ocarina. We also would like to thank the
