WCET free time analysis of hard real-time systems on multiprocessors: A regular language-based model by Geniet, Dominique & Largeteau-Skapin, Gaëlle
WCET free time analysis of hard real-time systems on
multiprocessors: A regular language-based model
Dominique Geniet, Gae¨lle Largeteau-Skapin
To cite this version:
Dominique Geniet, Gae¨lle Largeteau-Skapin. WCET free time analysis of hard real-time sys-
tems on multiprocessors: A regular language-based model. Theoretical Computer Science,
Elsevier, 2007, 388 (1-3), pp.26-52. <10.1016/j.tcs.2007.03.054>. <hal-00346012>
HAL Id: hal-00346012
https://hal.archives-ouvertes.fr/hal-00346012
Submitted on 10 Dec 2008
HAL is a multi-disciplinary open access
archive for the deposit and dissemination of sci-
entific research documents, whether they are pub-
lished or not. The documents may come from
teaching and research institutions in France or
abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est
destine´e au de´poˆt et a` la diffusion de documents
scientifiques de niveau recherche, publie´s ou non,
e´manant des e´tablissements d’enseignement et de
recherche franc¸ais ou e´trangers, des laboratoires
publics ou prive´s.
WCET Free Time analysis of Hard Real-Time
Systems on Multi-Processors: a Regular
Language-Based Model
Dominique Geniet
Laboratoire d’Informatique Scientifique et Industrielle
Universite´ de Poitiers
Te´le´port 2, Site du Futuroscope
F-86960 Futuroscope Chasseneuil Cedex
&
Gae¨lle Largeteau
Signal, Image, Communication
Universite´ de Poitiers
Te´le´port 2, Site du Futuroscope
F-86360 Futuroscope Chasseneuil Cedex
Abstract
This paper presents the initial step of an aid design method earmarked for opera-
tional validation of hard real-time systems. We consider systems that are composed
of sequential hard real-time jobs, which are embedded on centralized multiprocessor
architectures. We introduce a model based upon untimed ﬁnite automata and meant
to collect the operational behaviours of the system compatible with its time speciﬁc-
ations, and we go on to provide a feasibility decision result for systems composed of
jobs presenting CPU-loads which are exact values: execution times are not WCET
values). This is why we call this approach WCET-free analysis. The results we
have achieved likewise involve hardware speciﬁcations such as multi-processors and
speeds of processors.
Key words: Finite automata, Real-Time Systems, Operational validation
Email addresses: dominique.geniet@univ-poitiers.fr (Dominique
Geniet), glargeteau@sic.univ-poitiers.fr (Gae¨lle Largeteau).
1 The authors wish to thank anonymous referees for the numerous improvements
they had contributed to this paper; and also Jeﬀrey Arsham, a professional English
translator, for the stylistic improvements he has contributed to this paper.
Preprint submitted to Elsevier Science 11th December 2006
System & software design
Implementation
Unit testing
Integration
System testing
Requirement analysis & definition
System & software design
Implementation
Unit testing
Integration
System testing
Requirement analysis & definition
Real-time 
validation
Software life cycle Real-time Software life cycle
Figure 1. The operational validation in the software life cycle
1 Introduction
Real-Time scheduling has been implemented in real-time kernels by means of
ﬁxed priority policies (mainly RM and DM). Dynamic priority policies (EDF,
LLF) also exist [26], but they have not been implemented in operating systems.
The scheduling power of all these policies has been studied for uniprocessor
and multiprocessor targets [27][15]. Since they have not been designed to deal
with precedence or synchronization constraints, additice speciﬁc techniques
have been designed [31][8].
Real-time validation has been studied: it consists in deciding whether speciﬁc
software can be scheduled on a given target (feasibility) or if a speciﬁc on-line
policy can be used to schedule the software (validation). The knowledge of
all valid scheduling sequences concerning a task system designed to run on a
speciﬁc hardware target is useful (in particular) to chose the best scheduling
technique which adresses the case study.
Actual system approaches are software-engineering oriented: for instance, [2]
is designed to build speciﬁc policies or controllers, others are based on a cat-
egorization and the analysis of system constraints (global vs local in [2]),
[32] integrates the real-time validation step into the software life cycle (see
Figure 1), [11] proposes ACSR algebra, whose purpose is to facilitate con-
ception and analysis into the speciﬁcation step of the life cycle, etc. A more
controler-oriented technique is proposed by the TIMES project [5]: producing
a scheduler from the time speciﬁcations and calculating the worst response
times of software tasks.
As far as we know, the problem of collecting all valid scheduling sequences
2
has not been studied for multiprocessor targets. Solving this problem will be
useful to help the user to chose a good scheduling technique. It is the aim of
this paper.
Previously existing feasibility studies (they address uniprocessor targets) stand
on modeling scheduling sequences, like timed automata [4][3], Petri nets [21],
etc. [34][29]. A comparative analysis between the capacity of untimed and
timed automata [6][4][3] leads us to use of untimed ﬁnite automata: for this
model, concerning the properties we deazl with, the class of decidable proper-
ties is the largest, the computing complexities are not worse [3][16].
Each task of the system is translated into a ﬁnite automaton whose accep-
ted words correspond to all possible behaviours of the task. The automaton
is computed on the basis of the time characteristics of the task, in order to
accept only the task behaviours compatible with its time constraints. Con-
currency is modeled by products of automata, and synchronization (processor
and resource sharing, communication) thanks to the Arnold-Nivat model [6].
Since we address the problem of collecting all possible behaviours of the sys-
tems we study, we do not deal with the WCET assumption [14], this is why we
call our approach WCET-free analysis. In [23], Krcˇa´l and Yi show the decidab-
ility of the scheduling problem for systems speciﬁed by the [Min,Max] CPU
loads. Amnell and al. cite this problem to be addressed [5]. In this paper, we
are presenting a hopefully quite eﬀective solution: we deal with systems spe-
ciﬁed by all possible CPU loads for all jobs of the system, and we are proposing
an algorithmic technique based on untimed automata to reach this decision.
Our technique revolves around solving the reachability problem, whose com-
plexity is known to be lower for untimed automata. All these factors have got
to express our choice on untimed ﬁnite automata (i.e. regular languages) to
model real-time systems.
We have organised this paper as follows.
• Since scheduling decisions depend on both the analysed task system and
the hardware and software context (see [22] for a complete analysis which
points this fact out), the ﬁrst part of the paper (Section 2 deals with the
task systems we deal with and a taxonimy of possible contextes, in order to
deﬁne a precise canvas for following studies.
• The second step consists in the technicals of the work: we present the basic
elements of our language-based technique: Section 3 deals with the language
based model and the validation process; Section 4 shows how to extend
this technique to address synchronization; Section 5 shows how the WCET
assumption can be avoided.
• The ﬁnal section (§7) deals with the internals of the computing techniques
and the results of experimentations to point out the improvement level
3
brought by our optimization technique.
2 Validation of real-time systems
In this section, we describe both the structure of real-time systems and a
model meant to represent execution contexts.
2.1 Real-time systems
A real-time system is composed of a ﬁnite set (τi)i∈[1,n] of jobs. Each job τi is
a sequence of tasks (or instances) τij (j ∈ N). Each task τij is activated by the
occurrence of an incoming event. When the ﬂow of incoming events associated
with τi is periodic (the time interval between two successive incoming events
is a constant T ∈ N∗), τi is called periodic, and T is one of its characteristics.
If not, τi is called sporadic.
When all jobs of a real-time system are periodic, the system is likewise called
periodic.
Each job τi which belongs to a real-time system is time-speciﬁed with 4 time
characteristics (ri, Ti, Ci, Di). If τi is periodic, the semantics of these charac-
teristics are as follows:
Ti is the period of τi: it is the constant delay that separates the activation
dates of two consecutive tasks τij and τij+1.
ri is the ﬁrst activation date: it is the occurrence date for the ﬁrst event of
the ﬂow associated with τi. The activation date of a task τij is ri + jTi.
Ci is the CPU load of tasks
(
τij
)
j∈N: it is the CPU time that must be allocated
to τij to complete its execution. Here, we consider the context of invariable
CPU times for jobs: all tasks τij share the same CPU load Ci. In Section
5, we extend this model to address tasks whose successive instances do not
share the same CPU load.
Di is the critical delay of τi: it determines the deadlines of all tasks
(
τij
)
j∈N,
that are the dates when τij must be completed. The deadline for task τij is
ri + jTi + Di. In this paper, we assume that Di ≤ Ti.
It is impossible to specify at what exact time the initial activation event of an
alarm job will occur: if τi is sporadic, ri may be undeﬁned, and Ti indicates
the minimum delay that separates two successive activations of τi.
4
2.2 Execution contexts
Scheduling a real-time system consists not only in attributing CPU alloca-
tion time to jobs, but also in doing so according to the deadline constraints.
The feasibility of scheduling a real-time system most notably depends on the
hardware framework (number of processors, distribution, etc.).
A scheduling context provides an accurate description of the hardware and
software conﬁguration the scheduling algorithm is supposed to work with. A
syntax meant to describe these contexts has been proposed in [19], and has
been extended in [9] and [20]. Here, we use a syntax adapted from that of [20].
An execution context is speciﬁed by a table
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
(n, p) Mode (Cpx, Snc) (Jb, St, Ld) Constraints Prmpt
that can be understood with the following semantics:
• Hardware specifications
· Architecture= (n, p) ∈ (N∗ ∪ {n})2
n speciﬁes the number of nodes, and p the maximum number of processors
on each one.
· Clock=Mode ∈ {common, harmonic, synch, independent}
speciﬁes the time dynamics of the processors of each node. Its speciﬁcation
is based on unit (the common duration of all atomic statements) and start
(starting date of the processor driving clock). Using processors (pi)i∈[1,p]
on a node, the semantics to be associated with the possible choices are
the following:
common all processors follow the same clock:
(i, j) ∈ [1, p]2 ⇒


speed (pi) = speed (pj)
start (pi) = start (pj)
harmonic speeds of processors follow the same clock, in a harmonic way:
(i, j) ∈ [1, p]2 ⇒


speed (pi) ∈ speed (pj)N ∨ speed (pj) ∈ speed (pi)N
start (pi) = start (pj)
synch all processors follow clocks which start simultaneously:
(i, j) ∈ [1, p]2 ⇒ start (pi) = start (pj)
5
independent processors follow diﬀerent clocks, and then there is no re-
lation between speeds and starts
· Communication= (Cpx, Snc) ∈ {H0, H−, H+} × {s, b, a}
Cpx speciﬁes communication complexities: H0 for centralized (and then
a null complexity), H+ for non-null same complexity communications,
H− for heterogeneous communication.
Snc speciﬁes the synchronism level of communication channels. Channels
between two tasks are implemented on buﬀers of size k ∈ N¯, that are
speciﬁed in the following way: s for synchronous (i.e. k = 0), b for
asynchronous with limited buﬀer (i.e. k ∈ N∗), a for asynchronous (k =
+∞).
• Software specifications
· Structure= (Jb, St, Ld) ∈ {s, p, a} × {0, ri,⊥} × {Cf , Cv}
with the following semantics:
s All tasks are sporadic
p All tasks are periodic
a There are periodic and sporadic tasks
0 The ﬁrst instances of all tasks are activated synchronously at time 0
ri The ﬁrst instances of all tasks are not activated synchronously at
time 0
⊥ No speciﬁcation is given on ﬁrst activation dates
Cf All instances of a job require the same CPU allocation time
Cv Two diﬀerent instances of a same job may require diﬀerent CPU
allocation times
· Synchronisation=Constraints ∈ P ({r, c, p, x})
with the following semantics:
r There is resource sharing between jobs
c There is communication between jobs
p There are precedence constraints between jobs
x There are exclusion constraints between jobs
· Preemption=Prmpt ∈ {notp, parp, totp}
with the following semantics:
notp Tasks cannot be preempted
parp Tasks can be preempted, excluding some speciﬁc contexts (e.g. crit-
ical sections)
totp Tasks can be preempted whatever the context
3 Time validation process for periodic systems
In this section, we consider the context
6
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri, Cf) totp
This context is called ICCT (p) in the following (I for independent tasks, the
ﬁrst C for common clock, the second C for centralized system, T for periodic
real-time system and (p) for p processors). In the following, the task system
(τi)i∈[1,n] is noted Γ: n is the number of tasks.
3.1 Basic notions on languages
The reader is presumed to be familiar with the basic notions about words,
languages and automata [16]. However, we wish to recall two basic notions
and some notations and results, of which we have made use in this paper.
In the following, Reg (Σ) is the class of regular languages on the alphabet Σ.
Definition 1 Let Σ1 and Σ2 be two alphabets. The Shuﬄe (W) is a binary
operation on words or languages, deﬁned in the following way:
(1) ∀a ∈ Σ1 ∪ Σ2, aW = Wa = {a}
(2) ∀ (a, b, ω, ξ) ∈ Σ1 × Σ2 × Σ∗1 × Σ∗2, aωWbξ = a (ωWbξ) ∪ b (aωWξ)
(3) ∀L1 ⊂ Σ∗1, ∀L2 ⊂ Σ∗2, L1WL2 = ∪
(α,β)∈L1×L2
(αWβ)
Proposition 1 Let Σ1 and Σ2 be two alphabets, and L1 ⊂ Σ∗1 and L2 ⊂ Σ∗2.
We get L1 ∈ Reg (Σ1) ∧ L2 ∈ Reg (Σ1)⇒ L1WL2 ∈ Reg (Σ1 ∪ Σ2)
Definition 2 Let L ⊂ Σ∗, and let ω ∈ L. We call preﬁx of ω every α ∈ Σ∗
such that ∃β ∈ Σ∗ such that ω = αβ.
The set of preﬁxes of a word ω is denoted Pref (ω). This deﬁnition is extended
to languages by way of Pref (L) = ∪
α∈L
Pref (α).
Definition 3 Let L ⊂ Σ∗, and ω ∈ L. We call inﬁnitely extendable preﬁx of
L every α ∈ Σ∗ such that ∀n ∈ N, ∃β ∈ Σ∗ such that |β| > n and αβ ∈ L.
The set of inﬁnitely extendable preﬁxes of L is called Center (L).
Proposition 2 We obtain
(1) Center (L) = L∗Pref (L)
(2) L ∈ Reg (Σ)⇒ Center (L) ∈ Reg (Σ)
7
3.2 The language of job-valid behaviours
We deﬁne the notion of time unit in the following way: it is the execution time
of an atomic statement (i.e. an assembler statement) on the target machine.
In this work, we consider this value to be shared by all atomic statements.
Let us consider the job τi, whose time parameters are ri ∈ N, Ci ∈ N∗,
Di ∈ N∩ [Ci,+∞[ and Ti ∈ N∩ [Di,+∞[. From its activation date ri +k×Ti,
the kth instance of τi must own a CPU resource for Ci time units on the
time interval [ri + k × Ti, ri + k × Ti + Di[. Let us note ai the state τi owns
a CPU for one time unit, and • the state τi does not own a CPU for one
time unit. Every word of aCii W•Di−Ci corresponds, on any time interval of
the form [ri + k × Ti, ri + k × Ti + Di[, to a processor time allocation com-
patible with the time constraints of τi. This set is regular. If the schedul-
ing conﬁguration is valid, τi is inactive on every time interval of the form
]ri + k × Ti + Di, ri + (k + 1)× Ti[. This inactivity is modeled by the word
•Ti−Di . Then, every word of
(
aCii W•Di−Ci
)
•Ti−Di is a correct CPU time alloc-
ation for τi on any time interval of the form [ri + k × Ti, ri + (k + 1)× Ti[.
The task τi is deﬁned as the sequence
(
τij
)
j∈N of its instances. A pro-
cessor allocation compatible with τi’s time constraints is a sequence of pro-
cessor allocations compatible with τi’s successive instance time contraints. Let
(ωj)j∈N ∈
((
aCii W•Di−Ci
)
•Ti−Di
)N
. For each n ∈ N, the word ω0ω1 . . . ωn mod-
els a time valid processor time allocation for any sequence of n+ 1 successive
instances of τi. In a general way, any word ω of
((
aCii W•Di−Ci
)
•Ti−Di
)∗
mod-
els a valid processor time allocation for τi on any time interval of the form
[ri + k × Ti, ri + k × Ti + |ω|[, and then, in particular, on the time interval
[ri, ri + |ω|[. Insofar as τi is inactive on interval [0, ri[, word •riω models a
valid processor allocation on the time interval [0, ri + |ω|[. ω can be as long as
we wish. Then, the language •ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗
collects all the valid
processor allocation for τi.
The scheduling validation problem consists, at time t, in deciding on the evol-
ution possibilities of τi in both a given hardware and a given software con-
text. Of course, the past of τi is known. Here, this past is the history of τi’s
CPU allocations, that is to say a ﬁnite word ω of {ai, •}∗. During this past,
some instances of τi were completed, and the current instance is on (we can
say so even at the outset). Then, by construction, ω is of the form ω1.µ,
where ω1 ∈ •ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗
(the completed past instances), and
∃ν ∈ {ai, •}∗ such that µν ∈
((
aCii W•Di−Ci
)
•Ti−Di
)
(the current instance can
be completed according to the time constraints). So, ω is a preﬁx of a word
of •ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗
. Moreover, by construction as well, any instant
8
f belonging to ]t,+∞[ (the future), there exists η ∈
((
aCii W•Di−Ci
)
•Ti−Di
)∗
such that |ωνη| > f . Following which, at each time t, the past ω of τi is a
word of the center of •ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗
. Reciprocally, by deﬁnition,
every word of this center language is the past of a valid processor allocation
conﬁguration.
Definition 4 We call Time-Valid Behaviour of τi every word of
Center
(
•ri
((
aCii W•Di−Ci
)
•Ti−Di
)∗)
A time-valid behaviour of τi models a processor time allocation (for τi) such
that we can guarantee that, in the future, the past of τi can eﬀectively be
extended according to τi time constraints. In the following, we note L (τi) this
language.
Remark 1 By following a similar line of reasoning, we can show that the
time-valid behaviours of a sporadic job τi, of time parameters
2 Ci, Di and Ti
belong to
Center
(
•∗
((
aCii W•Di−Ci
)
•Ti−Di •∗
)∗)
In the following, all the techniques we use and the properties we obtain arise
from the property L (τi) collects all valid behaviours. Then, since this prop-
erty also applies to sporadic tasks, all these techniques and properties may
be applied to periodic as well as sporadic jobs. For simplicity’s sake, in the
following, we deal only with periodic jobs, but all the obtained results are
applicable for the general case.
3.3 Model for concurrency: the language of system-valid behaviours
In order to model concurrency, we use the homogeneous product of regular
languages, which is deﬁned as follows:
Definition 5 Let Σ1 and Σ2 be ﬁnite alphabets, and L1 ⊂ Σ∗1 and L2 ⊂ Σ∗2.
• Let α = α1α2 . . . αn ∈ L1 and β = β1β2 . . . βn ∈ L2 two words of the
same length n. The homogeneous product of α and β is the word αΩβ =(
α1
β1
)(
α2
β2
)
. . .
(
α|α|
β|β|
)
∈ (Σ1 × Σ2)n.
2 recall that for sporadic jobs, Ti speciﬁes the minimum time interval between two
successive instances of the alarm signal associated with τi.
9
• The homogeneous product of languages L1 and L2 is the language L1ΩL2 =
⋃
n∈N

 ∪
α∈L1∩Σn1
β∈L2∩Σn2
{αΩβ}


Ω is a binary operator. Then , the expression (aΩb) Ωc is equal to
(
(ab)
c
)
, and
the expression aΩ (bΩc) is equal to
(
a
(bc)
)
. In this case, the semantics asso-
ciated with a vector is simultaneity. Then,
(
(ab)
c
)
and
(
a
(bc)
)
share the same
semantics, which is simultaneous execution of a, b and c. Of course, such
semantics can also be associated with the vector
(a
b
c
)
. We consider that(
(ab)
c
)
≡
(
a
(bc)
)
≡
(a
b
c
)
. It follows that the operator Ω is associative, and can
naturally be generalized to n-uples of languages.
A behaviour of Γ corresponds to a n-uple of behaviours of the τi’s, the se-
mantics associated with
(
a
b
)
being simultaneity of a and b. That is why the
set of behaviours of Γ is
i=n
Ω
i=1
(L (τi)). The homogeneous product does not re-
duce the set of behaviours for jobs. And since all L (τi)’s are centers of regular
languages,
i=n
Ω
i=1
(L (τi)) is also a center of language.
If there are fewer processors than jobs (a frequent case!), owning a processor is
a resource-sharing problem. It is integrated within the model thanks to Arnold-
Nivat’s technique [6]: for a p processor architecture, we take into account the
language
Sp =
{
ω ∈ i=nΠ
i=1
{•, ai} such that |ω|• ≥ n− p
}
that collects the instantaneous conﬁgurations corresponding to valid execu-
tions on p processors. The language
i=n
Ω
i=1
(L (τi)) ∩ S∗p collects all time beha-
viours that are compatible with both τi’s time speciﬁcations and p-processor
hardware architectures.
The class of regular language centers is not closed by intersection. Here, this
property means that processor-sharing can lead a real-time job system to
miss at least one of the imposed deadlines. Since we are interested in the set
of time-valid behaviours, we only consider the subset of
i=n
Ω
i=1
(L (τi)) ∩ S∗p that
collects the time-valid behaviours (i.e. the scheduling sequences that can be
indeﬁnitely extended according to the system time contraints) for the whole
real-time system.
10
The language
i=n
Ω
i=1
(L (τi)) ∩ S∗p is partitioned into two languages
Linf = Center
(
i=n
Ω
i=1
(L (τi)) ∩ S∗p
)
and
Lfin =
(
i=n
Ω
i=1
(L (τi)) ∩ S∗p
)
\ Center
(
i=n
Ω
i=1
(L (τi)) ∩ S∗p
)
Linf collects all behaviours compatible with the p-processor constraint, and
which can be inﬁnitely extended according to τi’s time speciﬁcations: they
are valid behaviours. On the contrary, Lfin collects other behaviours: since
they do not belong to the center of the language, they model CPU allocation
sequences ensuring that, in the future, at least one of the τi’s will miss its
deadline. Then, Linf indicates the exact set of time-valid behaviours.
This is why we deﬁne the set of time-valid behaviours of a job system in the
following way:
Definition 6 We call time-valid behaviour for the system Γ within the context
ICCT (p) every element of the language
L
(
Γ
ICCT (p)
)
= Center
(
i=n
Ω
i=1
(L (τi)) ∩ S∗p
)
3.4 Feasibility Decision
The language L (τi) is implemented through its canonical associated ﬁnite
automata A (τi) (they follow generic structures: see Figure 2). Thus, the lan-
guage L
(
Γ
ICCT (p)
)
is also implemented thanks to the computing of its as-
sociated ﬁnite automaton A
(
Γ
ICCT (p)
)
, which is calculated from the A (τi)’s
through algebraic operations on automata. The decisions pertaining to these
languages arise from the structural properties of the corresponding automata.
Thus, the existence of these automata is necessary to reach the decision. That
is why, in the following, we always show that synchronized products are reg-
ular.
The language L
(
Γ
ICCT (p)
)
is designed to contain all valid behaviours of the
system Γ. Thus, deciding on the feasibility of Γ under the context ICCT (p)
comes about in an obvious way through the construction of this language:
Theorem 1 The system Γ is valid within the context ICCT (p) if and only
if L
(
Γ
ICCT (p)
)
= ∅
11
Wait for next 
activation event S
•
•
•
•
•
•
•
•
•
•
•
•
ε
ai
ai
ai
ai
ai
ai
ai
ai
ri
Di Ci-
Ci
T i Di-
•
s
•
•
•
•
•
•
•
•
•
•
s
ai
ai
ai
ai
ai
ai
ai
ai
ri
Di Ci-
Ci
Ti Di- •
•
Periodic job Sporadic job
Figure 2. Generic automata for periodic and sporadic tasks
3.5 A case study: the AMADO project
From 2002 through July 2005, the French National Research Agency for Space
and Aeronautics (ONERA) organized an international competition for the
design of miniature unmanned air vehicles (UAV): the AMADO 3 project (see
[1] for details). This competition was open to all universities and engineer-
ing schools in the world, it was sponsored by french De´le´gation Ge´ne´rale de
l’Armement (DGA), of the french defense ministry.
One goal of this competition was to demonstrate the technical feasibility of
miniature UAV as an infantry aid. Even though DGA is an organisation
devoted to weapon conception, UAVs were designed for the sake of observation,
not destruction; they may be viewed as ﬂying binoculars.
Three Poitiers-based labs 4 took part in this competition, and are designing a
UAV prototype.
In this paper, we are only interested in controller program design, and more
speciﬁcally in its autonomous running mode. In this context, the embedded
software must drive the UAV in autonomous mode. This part of the software
is composed of 7 periodic jobs with invariable CPU load. These jobs share 6
critical resources, which are not considered in this section. Figure 3 presents
its DARTS preliminary diagram. Time speciﬁcations for the diﬀerent jobs
that compose this controller are the following:
3 Automated Miniature Aircraft for Detection and Observation.
4 - LISI (Research Ministery Team (EA) nr 1232): Lab of Applied Computer Science
- SIC (CNRS Emerging Team (FRE) nr 2731): Signal, Image, Communication
- LEA (CNRS Research Unit (UMR) nr 6609): Lab of Aerodymanics
12
Attitude
FLIGHT PLAN
100 ms
Read flight 
instruments
400 ms
Navigation
ATTITUDE 
INSTRUCTIONS
400 ms
Regulation
COMMAND
200 ms
Transmit to 
servo-mechanism Command
INFOS FLIGHT
400 ms
Read GPS
100 ms
Read Altitude
Write Read
Messages
Position, Speed
100 ms
Transmission
Messages
Precedence
Navigation
Precedence
Regulation
Figure 3. Preliminary DARTS diagram for the UAV controller
Job Role ri Di Ti Ci
τ1 Read Attitude 0 5 5 4
τ2 Read Flight Instruments 0 5 5 4
τ3 Read GPS 0 12 25 10
τ4 Transmit to servo-mechanism 0 6 10 2
τ5 Transmission 0 5 5 2
τ6 Navigation 0 15 25 10
τ7 Regulation 0 16 25 10
Computation of the validation automaton for this system is carried out follow-
ing the sequence presented below, which shows both the order of the computing
and the sizes (edge counting) of homogeneous (Ω) as well as synchronized (Π)
product automata. Recall that homogeneous products model concurrency, and
synchronized products model processor sharing. The reader may note that in
the following table, both |Ω| and |Π| share the same values for subsystems
limited to the ﬁrst four jobs: since we have four processors at our disposal ,
there is no processor sharing, so synchronized products are not computed. On
the contrary, there is processor sharing as soon as the 5th job is integrated in
the product, and then there exist diﬀerences between |Ω| and |Π|.
13
job |Ai| |Ω||Π| |Ω||Π| |Ω||Π| |Ω||Π| |Ω||Π| |Ω||Π|
τ1 13 35
35 591
591 1513
1513 5552
5544 33417
33041 57618
48975
τ2 13
τ3 84
τ4 26
τ5 17
τ6 120
τ7 140
The ﬁnal product is not empty: this system is feasible for a 4-processor target,
without considering critical resource sharing.
4 Integrating job constraints
In this section, we integrate job interdependence to the model, and we show
that the validation results always stand. The constraints we wish to consider
are critical resource sharing and message-based communications. Thus, we
consider the context
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri, Cf) rc totp
Let ∆ be the set of items (resources, messages, etc.) concerning the job sys-
tem synchronisation. The corresponding context is called D (∆)CCT (p) (with
D (∆) for dependent jobs under constraint set ∆) in the following.
4.1 Using Arnold-Nivat synchronized products
To integrate job interdependence (communication, resource sharing) between
the τi’s, we also use Arnold-Nivat’s technique [6]: each resource R (shared
resource or communication message) is modeled by a virtual job ξR, designed
to trace its states ( busy/idle, for instance, for a shared resource using a basic
protocol, but more highly elaborated protocols can likewise be modeled [7] ).
The principle of the Arnold/Nivat model is presented in Figure 4:
14
• We consider a set of tasks sharing a critical resource: each task is modeled
by a ﬁnite automaton. The ﬁrst step consists in building the product auto-
maton, which models the concurrent system composed of all the tasks.
• The protocol used to manage the constraint (shared resource or any other
constraint) is a process: it is modeled by the use of a speciﬁc automaton
(see [7], for instance). In the case of Figure 4, the constraint consists in
executing b before executing ψ (precedence constraint). Step 2 consists in
producing the product automaton that models the concurrent running of
both the task system and the protocol. Step 3 consists in erasing all states
(and corresponding edges) of the automaton which correspond to a violation
of the protocol.
• The product automaton is composed of the states which satisfy the con-
straint: the protocol component is now useless (it is not part of the task
system), it can be erased through use of a projection (step 4).
The general process can be viewed as follows .
(
i=n
Ω
i=1
L (τi)
)
ΩL (ξR) collects the behaviours of the system composed of both
the τi’s and the resource R. Let us now consider the SR set of the instant-
aneous conﬁgurations compatible with the resource protocol management.((
i=n
Ω
i=1
L (τi)
)
ΩL (ξR)
)
∩ S∗R collects only the behaviours of Γ which are com-
patible with the resource protocol management.
Now, we use the same property as for processor sharing (see Section 3.4):
the class of regular language centers is not closed by intersection. Here, this
property means that sharing a critical resource can lead a real-time sys-
tem to miss at least one of the imposed deadlines. Since we are still inter-
ested in the set of time-valid behaviours, we again consider the subset of((
i=n
Ω
i=1
L (τi)
)
ΩL (ξR)
)
∩ S∗R that collects the time-valid behaviours (i.e. the
scheduling sequences that can be indeﬁnitely extended according to the sys-
tem time contraints) for the whole system. Following the same reasoning as
for context ICCT (p), we collect all inﬁnitely extendable behaviours of this
set, i.e. we consider
L
(
Γ
D (R)CCT (∞)
)
= Center
(((
i=n
Ω
i=1
L (τi)
)
ΩL (ξR)
)
∩ S∗R
)
This language is associated with the context D (∆)CCT (∞), because it col-
lects all time-valid behaviours according to both time and resource protocol
constraints, but without considering processor sharing constraints. These can
be integrated in the model through renewed use of Arnold-Nivat’s technique,
in the same way as for ICCT (p) context, i.e. computing L
(
Γ
D(R)CCT (p)
)
=
Center
(
L
(
Γ
D(R)CCT (∞)
)
∩ S∗p
)
.
15
×Virtual task
*
A Bb
Ψ
*
C
*
×
Task τ1
Task τ2
α βμ
φ γ
ψ δ
μ
∩
Projection
(x,y,z) ⇒ (x,y)
1 2a 3b
b
1α 2β
3γ
(a,μ)
3δ
(b,φ
)
(b,ψ)
3β(b,μ)
(b,μ)(b,φ)
(b,ψ
)
1αA
2βA
3γA
(a,μ,*)
3δA
(b,φ,*
)
(b,ψ,*)
3βA(b,μ,*)
(b,μ,*)(b,φ,*)
(b,ψ,
*)
3γB
3δB
3βB
(b,μ,*)(b,φ,*)
(b,ψ,
*)
3γC
3βC
(b,μ,*)(b,φ,*)
(b,ψ
,b)
(b,μ,b)
(b,φ,b)
(b,μ,b)
(b
,ψ
,b
)
(b,
φ,
b)
(b,μ,ψ
)
(b,
φ,
ψ)
2βB
(b,φ,*
)
(b,ψ,*)
(b,μ,*)
3δC (b,ψ,*
)
(a,μ,b) (b,ψ
,ψ
)
(b,φ,ψ)
(b,μ,ψ) (b
,ψ
,ψ
)
1αA
3γA
(a,μ,*)
3δA
(b,φ,*
)
(b,ψ,*)
3βA(b,μ,*)
(b,μ,*)(b,φ,*)
(b,ψ,
*)
3γB (b,μ,*)(b,φ,*)
(b,ψ,
*)
(b,ψ
,b)
(b,μ,b)
(b,φ,b)
(b,μ,b)
(b
,ψ
,b
)
(b,
φ,
b)
(b
,ψ
,ψ
)3βB
3δC
2βA
3δB
1α
3γ
(a,μ)
3δ
(b,φ)
(b,ψ)
3β(b,μ)
(b,μ)(b,φ)
(b,ψ)
3γ (b,μ)(b,φ)
(b,ψ)
(b,ψ)
(b,μ)
(b,φ)
(b,μ)
(b
,ψ
)
(b,
φ)
(b,ψ
)
3β
3δ
2β
3δ
Step 1
Model for concurrent 
execution of τ  and τ1 2
Step 2
Adding the state 
of the resource
Synchronization set
(x,y,z) ⇒ x = z ∨ y = z
Step 3
Deleting paths which 
transgress resource 
access protocol
Step 4
Deleting the virtual 
task component
Figure 4. Arnold-Nivat model for resource sharing
Remark 2 Let ρj be the projection (xi)i∈[1,n] → xj, and let us extend this
notation to intervals, by deﬁning ρ[a,b] as the projection
(xi)i∈[1,n] → (xi)i∈[Max(1,a),Min(b,n)]
In the language L
(
Γ
D(R)CCT (p)
)
, the components corresponding to virtual jobs
modeling resources are now useless: we erase them from the model, by using
ρ[1,n]. Thus, we ﬁnally consider the language ρ[1,n]
(
L
(
Γ
D(R)CCT (p)
))
. For the
sake of simplicity, we shall denote this language by L
(
Γ
D(R)CCT (p)
)
: then, in
16
the following, we omit writing the ρi’s.
Since a synchronisation model is based upon intersections of languages, we
obtain
L
(
Γ
D ({R1, R2})CCT (p)
)
= Center
(
L
(
Γ
D (R1)CCT (p)
)
∩ S∗R2
)
Applying this property by induction, we obtain the following deﬁnition:
Definition 7 Let Γ be a real-time system and ∆ =(Rj)j∈[1,r] be a set of syn-
chronization constraints (resource or messages). We call time-valid behaviour
of Γ under the context D (∆)CCT (p) every element of the language
L
(
Γ
D (∆)CCT (p)
)
= Center
(
L
(
Γ
ICCT (p)
)
∩
(
i=n∩
i=1
(
S∗Ri
)))
where SRi is the set of valid instantaneous conﬁgurations, according to resource
Ri management protocol.
In [6], the author shows how this technique can be used in order to model
resource sharing, precedence and communication by message.
4.2 Feasibility Decision
Like L
(
Γ
ICCT (p)
)
, L
(
Γ
D(∆)CCT (p)
)
is a language that collects time-valid beha-
viours of the system. Then, theorem 1 remains valid. Thus, we obtain: Γ is
valid under context D (∆)CCT (p)⇔ L
(
Γ
D(∆)CCT (p)
)
= ∅.
4.3 The AMADO project: feasibility with critical resources
Let us now complete the feasibility study we began in Section 3.5, by including
critical resource sharing in the synchronized product computing. First, we
complete the table that presents time characteristics of jobs along with the
resources used (resources are identiﬁed as R1, R2, and so on):
17
Job Role ri Di Ti Ci Resources used
τ1 Read Attitude 0 5 5 4
Infos Flight (R1)
Precedence Regulation (R2)
τ2
Read Flight In-
struments
0 5 5 4
Flight plan (R3)
Command (R4)
τ3 Read GPS 0 12 25 10
Infos Flight (R1)
Precedence Navigation (R5)
τ4
Transmit to
servo-mechanism
0 6 10 2 Command (R4)
τ5 Transmission 0 5 5 2 Infos Flight (R1)
τ6 Navigation 0 15 25 10
Precedence Navigation (R5)
Flight plan (R3)
Attitude Instructions (R6)
τ7 Regulation 0 16 25 10
Precedence Regulation (R2)
Command (R4)
Attitude Instructions (R6)
Computing the validation automaton for this system is carried out following
the sequence presented on the table drawn below, in the same way as for an
independent job case: Ω and Rj Π denote homogeneous and resource Rj syn-
chronized product automata, and C denotes the center language automaton,
which is computed after each synchronized product. Each synchronization ad-
dresses both resource and processor sharing. The reader can note that in the
following computation, tasks are integrated within the product following a
diﬀerent order than in § 3.5: we begin by integrating the more constrained
tasks, in order to limit product automata sizes as much as possible.
|Ai|
|Ω|
Rj
(|Π|
|C|
)
τ7 140 1055
R6
(
884
786
) 8233
R5
(
8179
8179
) 20868
R3
(
18429
17358
)
R4
(
14083
10210
)
23098
R2
(
17710
15701
)
R1
(
11506
9946
) 15701
R1
(
3939
0
) 0
R4
(
0
0
)
τ6 120
τ3 84
τ2 13
τ1 13
τ5 17
τ4 26
18
The ﬁnal product is empty: this system is not feasible for a 4-processor target,
according to critical resource sharing. Since this system is feasible without
considering resource sharing (see §3.5), the resources are responsible for un-
feasibility.
Let us now observe the synchronization constraint levels involved by each
resource, for instance by evaluating the ratios |C||Π| . With this objective, for
each resource Ri, we study the subsystem composed of all jobs that share Ri,
without processor sharing (i.e. using as many processors as jobs). Resource R1
is the most constraining: it leads, for a 3-job system, to a level of 94
654
, that is
to say about 16%. Overloading R1-sharing with processor sharing, this level
drops to 9% for a 2-processor target, and to 1% for a 1-processor. That is why
the whole system is not feasible. The feasibility system diagnosis advises the
conceptor to observe R1 sharing to render the system feasible.
5 WCET free analysis
In general, real-time jobs execute programs whose CPU load is variable: they
contain both if. . . then. . . else or for. . . do statements. In this case, the CPU
load of each instance of the job depends on the values of some of its variables,
i.e. its functional semantics. In previous sections, the task τi is associated
with the time parameter Ci, which speciﬁes its CPU allocation time. This
value must be viewed as the WCET: it is the minimal CPU allocation time
needed to schedule τi in the worst case (see Figure 6).
In this section, we are extending our model in order to analyse systems in
accordance with the real values of Ci, as opposed to WCET values. We have
termed this manner of proceeding WCET-free analysis.
In this study, we consider programs composed of both atomic (:=), choices
(if... statements) and static loop statements (Ada like for...). We consider
neither dynamic loops nor recursive subroutine calls: in the context of hard
real-time software, this restriction is realistic.
Thus, the context considered here is
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common (H0, s) (p, ri, Cv) rc totp
This context is called D (∆)CCV T (p) (with V for variable CPU load tasks)
in the following.
19
Statement 1
Statement 2
if Condition 1 then
    Statement 3
else
    Statement 4
    for i from 1 to 8 do
        Statement 5
        if Condition 2 then
            Statement 6
        end if
    end for
1
2
3 4
1
5
6
2
5
6
2
5
6
2
Iterated 8 tim
es
Figure 5. From the program to the graph
5.1 The language of job-valid behaviours
To integrate these kinds of jobs, one must model many CPU loads for each
τi. However, not all CPU loads are allowed: the only ones allowed are those
which eﬀectively correspond to at least one of the functional behaviours of the
job. Let us consider, for instance, the program presented on Figure 5. It is
associated with its canonical ﬁnite automaton representation by applying the
morphism Statement → ai to all values that label edges (they are statements).
Thus, every path through this automaton is labelled with a word aji , where j is
a CPU allocation duration compatible with at least one of the behaviours of τi.
In this example, the set is a2 {a2, a2 (a2 {a, a2})}, which can also be described
by
{
a4, (a28+i)i∈[1,8]
}
. We denote this set with Pτi . It is always ﬁnite, because
there are no dynamic statements in the program (no dynamic loops, no recurs-
ive subroutine calls). For ω ∈ Pτi, Center
(
•ri
((
ωW•Di−|ω|
)
•Ti−Di
)∗)
collects
the set of time-valid behaviours of τi such that each instance of τi uses a CPU
allocation of |ω| time units. Now, let us call (ωk)k∈I the words that belong
to Pτi . Since Pτi is ﬁnite, I is ﬁnite too. In general, time-valid behaviours of
successive instances of τi correspond to diﬀerent ωk’s. Then, a time-valid beha-
viour of τi belongs to L (τi) = Center

•ri



⋃
k∈I
(
ωkW•Di−|ωk|
) •Ti−Di


∗
.
Since I is a ﬁnite set, this language remains regular.
The L (τi)’s being sets of τi’s valid behaviours, computing the set of valid
behaviours of the whole system Γ is based upon both homogeneous products
20
aa
a
a
a
a
a
a
a
a
a
aa
a
a
a
a
a
G
R
B a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
BG
R
a
a
a
a
a
a
a
a
a
G
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
a
B
R
with WCET 
computing 
technique
Effectively 
used CPU time
Unused CPU 
time
with the WCET-
free computing 
technique
Figure 6. From the graph to the CPU load set
and Arnold-Nivat’s synchronisation technique.
5.2 Feasibility Decision
The role of Arnold-Nivat’s synchronization technique is to forbid some beha-
viours of the τi’s. Under the context D (∆)CCT (p), forbidding a behaviour
corresponds to forbidding a speciﬁc CPU allocation sequence, but no restric-
tions are imposed on speciﬁc functional behaviours of the job.
Under the context D (∆)CCV T (p), synchronizing may forbid τi from follow-
ing some of its behaviours (the shorter ones, for instance), and allow it to
follow others (longer. . . ). Thus, the predicate L
(
Γ
D(∆)CCV T (p)
)
= ∅ reaches the
property for each job, and there exists at least one valid path. We call this
property weak feasibility:
Notation 1 Recall that we are noting ρi the projection of a vector V on its
ith component. At this point, we are introducing a new projection: π.
Let A be an alphabet, and B ⊂ A. We note respectively πB and π¬B the two
morphisms
21
πB : A → B,


x ∈ B → x
x ∈ A \B → 
and π¬B : A → B,


x ∈ B → 
x ∈ A \B → x
When A = {a}, we note π{a} as well as πa.
Definition 8 A real-time system Γ =
{
(τi)i∈[1,n]
}
is weakly feasible under
context C if ∀i ∈ [1, n], ∃ω ∈ Pτi such that ∃α ∈ L
(
Γ
C
)
such that πai (ρi(α)) =
ω
Thus, theorem 1 addresses weak feasibility.
When job CPU loads are invariable, weak feasibility and feasibility are equi-
valent, since the only two alternatives are the existence and the non-existence
of one occurrence of ω. That is why theorem 1 is useful when addressing
feasibility in this context.
On the other hand, as soon as there exists one τi whose successive instances
follow diﬀerent CPU loads, this theorem is useless, since weak feasibility and
feasibility are no longer equivalent: for such systems, weak feasibility means
that there are compatible behaviours. Others can nevertheless be forbidden,
because of functional incompatibilities (resource sharing, for instance).
Let us consider, for instance, a job system (τi)i∈[1,2] , where τ1 and τ2 share a
critical resource. The body of τ1 is presented in Figure 7.a. The structures of
their respective bodies are such that, when resource sharing is used, both of
the two jobs miss their deadlines. However, for each of these two jobs, there
exists a possible behaviour compatible with its time constraints: for τ1, it is
the set of behaviours which avoids resource sharing (see Figure 7.b). Thus, the
system is not feasible since some functional behaviours of jobs are excluded
from systemic constraints, but it is weakly feasible: it satiﬁes theorem 1!
Thus, theorem 1 does not stand within context D (∆)CCV T (p).
In a feasible system, every job may always be allowed to follow any of its (func-
tional) behaviours according to both resource sharing and time constraints.
This property is stronger than weak feasibility. We call it strong feasibility:
Definition 9 A real-time system Γ =
{
(τi)i∈[1,n]
}
is strongly feasible under
context C if and only if
∀ (ωi)i∈[1,n] ∈
i=n
Π
i=1
Pτi , ∃α ∈ L
(
Γ
C
)
such that ∀i ∈ [1, n], πai (πi(α)) = ωi
The feasibility of a system Γ is reached as soon as L
(
Γ
C
)
= ∅ and Γ is strongly
22
If Condition 1
Then
P1
Statement 1
V1
Else
If Condition 2
Then
Statement 2
Statement 3
Else
Statement 4
Statement 5
End If
Statement 6
End If
Body of job τ1a Valid part of the body of job τ1b
If Condition 1
Then
P1
Statement 1
V1
Else
If Condition 2
Then
Statement 2
Statement 3
Else
Statement 4
Statement 5
End If
Statement 6
End If
Figure 7. Example of invalid conﬁguration
Feasibility
Weak feasibility
Strong 
feasibility
Job system with 
invariable CPU loads
Job system with 
variable CPU loads
Behavioural 
property Computable property Class of systems
Figure 8. Feasibility computation
feasible. These considerations lead us to generalize theorem 1 in the following
way (see Figure 8)
Theorem 2 A system Γ = {(τi)}i∈[1,n] is feasible under context D (∆)CC
V T (p) if and only if


L
(
Γ
D(∆)CCV T (p)
)
= ∅
Γ is strongly feasible
Note that for invariable CPU load, both weak and strong feasibility are equi-
valent, and that theorems 1 and 2 address the same property: feasibility.
If Γ satisﬁes theorem 2, the set L
(
Γ
D(∆)CCV T (p)
)
of its time-valid behaviours is
a regular language. For such languages, the star lemma [16] shows that every
suﬃciently long word contains an iterated subword.
Thus, this lemma leads to the following property: if Γ is a set of interdepend-
ent tasks, to be scheduled under the context D (∆)CCV T (p), the time-valid
behaviours of Γ are cyclic.
This consequence shows that the cyclicity problem for multiprocessor contexts
23
[12] can be solved, hence on-line scheduling can be validated by simulation for
multi-processors.
5.3 The AMADO project: considering variable CPU load jobs
In the UAV controller, Navigation is the most complex job, in terms of control
statements. Its program contains some if/then/else contructors, and calls
for some elementary computing subroutines (3 or 4 atomic statements for
each one, without control statements). This program and its translation into
an operational model are presented in the table presented in Figure 9.
Translated into a set of operational behaviours, the program presented on this
Figure leads to
a3P (R5) a
13V (R5)
{
a, a2
}
P (R3) a
12V (R3)
{
a, a2
}
P (R6) a
8
{
a, a2
}6
V (R6) a
Since {a, a2}6 = {a6, a7, a8, a9, a10, a11, a12}, operational behaviours of this pro-
gram correspond to 24 diﬀerent CPU loads, the least loaded being a 51-time-
units behaviour, and the most loaded a 59-time-units.
Computing of the synchronized product automaton associated with this vari-
able CPU time real-time system follows this sequence:
|Ai|
|Ω|
Rj
(|Π|
|C|
)
τ7 140 2080
R6
(
2074
2074
) 13768
R5
(
12866
12678
) 32705
R3
(
29382
27858
)
R4
(
25327
14296
)
30328
R2
(
21269
18770
)
R1
(
15431
13904
) 21445
R1
(
2160
1707
) 2302
R4
(
1324
379
)
τ6 212
τ3 84
τ2 13
τ1 13
τ5 17
τ4 26
The ﬁnal product is not empty: in accordance with critical resource sharing,
the system is weakly feasible for a 4-processor target, but not strongly feasible:
the one and only path accepted for scheduling purposes is the shortest (51 time
units).
24
Navigation job Program Code Operationals
void Navigation (Job_Traiter_GPS)
{
double Pos[3],ActDir,test1;
double NxtPos[3];
double Dir,DifDir;
GetResource(Res_InfosGPS);
Pos[Lat]=LatLngChk(GPS_Tr.Lat,GPS_Tr.LatFrac);
Pos[Lng]=LatLngChk(GPS_Tr.Lng,GPS_Tr.LngFrac);
Pos[FLlev]=GPS_Tr.AltRef/1000.0;
ActDir=GPS_Tr.COG/100;
ReleaseResource(Res_InfosGPS);
if
(
(Abs(NxtPos[Lat],Pos[Lat])<AprxLat)
&&
(Abs(NxtPos[Lng],Pos[Lng])<AprxLng)
)
PntToRchNW=(PntToRchNW+1)%NWPtTotNb;
GetResource(Res_Waypoints);
NxtPos[Lat]=LatCmp(TabWayPoint[PntToRchNW]);
NxtPos[Lng]=LngCmp(TabWayPoint[PntToRchNW]);
NxtPos[FLlev]=FLCmp(TabWayPoint[PntToRchNW]);
ReleaseResource(Res_Waypoints);
if(ActDir>180)
ActDir-=360;
GetResource(Res_ConsignesAttitude);
Dir=DirDet(Pos, NxtPos);
DifDir= Dir- ActDir;
Consigne.W0_Ref=NxtPos[AltCmp]-Pos[AltCmp];
if(Consigne.W0_Ref>VrtLmtSpeed)
Consigne.W0_Ref=VrtLmtSpeed;
if(Consigne.W0_Ref<-VrtLmtSpeed)
Consigne.W0_Ref=-VrtLmtSpeed;
if(DifDir>180) DifDir-=360;
if(DifDir<-180) DifDir+=360;
Consigne.Phi_Ref=0.2*DifDir;
if(Consigne.Phi_Ref>LmtIncl)
Consigne.Phi_Ref=LmtIncl;
if(Consigne.Phi_Ref<-LmtIncl)
Consigne.Phi_Ref=-LmtIncl;
ReleaseResource(Res_ConsignesAttitude);
TerminateTask();
}
void Navigation ()
{
a;
a;
a;
P (R5);
a4;
a4;
a4;
a;
V (R5);{
a, a2
}
;
P (R3);
a4;
a4;
a4;
V (R3);{
a, a2
}
;
P (R6);
a4;
a;
a3;{
a, a2
}
;{
a, a2
}
;{
a, a2
}
;{
a, a2
}
;{
a, a2
}
;{
a, a2
}
;
V (R6);
a;
}
Figure 9. Navigation job program vs operationals for one procedure of the AMADO
project code
6 Integrating hardware specifications
Let us now suppose that Γ is designed to run on a multiprocessor machine
where some processors do not run at the same speed. Moreover, we suppose
that each τi is designed to run on a ﬁxed processor (there is no task migration,
this hypothesis is realistic in the framework of real-time softwares). Let us
consider the context
25
Hardware Software
Architecture Clock Communication Structure Synchronisation Preemption
p ≥ 1 Common
starts
(H0, s) (p, ri, Cv) rc totp
This context is called D (∆)SCV T (p) (with S for Common starting clocks)
in the following.
Let τ1 and τ2 be two tasks designed to run on processors p1 and p2, whose
running speeds are diﬀerent, i.e. whose CPU time unit are diﬀerent. We note by
ui the execution time of any atomic statement on pi (for i ∈ {1, 2}). Obviously,
we suppose that u1 = u2. Then, any symbol which appears in words of L (τ1)
(resp. L (τ2)) is supposed to be associated with the delay u1 (resp u2): the
time semantics correspondingly associated with the language depends on the
target processor. We take this into account by indexing the language with this
time unit: the language which collects the behaviours of τ1 when it is running
on p1 is denoted Lu1 (τ1).
In previous sections, all processors were running at the same speed u, this
speed was omitted in the description of the relevant languages, and the syn-
chronized product was naturally associated with u. At present, however, we
cannot compute the synchronized product of Lu1 (τ1) and Lu2 (τ2); this is due
to the fact that it is impossible to associate a time unit with the edges of the
product.
In order to avoid this problem, in this section we are proposing a technique
allowing us to determine a unit u such that
• Lu1 (τ1) can be mapped into Lu (τ1),
• Lu2 (τ2) can be mapped into Lu (τ2),
These two languages bring us back to the previous context: the technique
presented earlier in this article can be used to compute the synchronized
product of Lu (τ1) and Lu (τ2), whose edges are naturally associated with the
time u. In Section 6.1, we show how u can be determined, and we give the
mapping to compute Lu (τ1) from Lu1 (τ1).
6.1 The language of job-valid behaviours
Lu1 (τ1) is computed from the time characteristics of τ1. Some of these charac-
teristics are time-absolute values which do not depend on the characteristics
of the target processor: Ti, Di and ri. On the other hand, the value Ci depends
26
on the speed of the processor: we get
Ci
CPU with a time unit u
=
Ci
k
CPU with a time unit u
k
Computing Lu (τ1) from Lu1 (τ1) presupposes our keeping the speciﬁed values
of Ti, Di and ri, and likewise presupposes our considering for Ci the value
corresponding to the time unit u.
Example 1 Let τi be a job of characteristics ri = 3ms, Di = 8ms, Ti = 10ms
and Ci = 3ui. With ui = 1ms, we get
Lui (τi) = Center
(
•3
((
a3W•5
)
•2
)∗)
With ui = 250 ns, we get the (diﬀerent) language
Lui (τ) = Center
(
•12
((
a3W•29
)
•8
)∗)
Observing Figure 10, one may note that u1 and u2 must be multiples of u: the
natural value for u is gcd (u1, u2), which can always be computed as soon as u1
and u2 are integer values. This last property is yielded as soon as time units
are expressed in terms compatible with the characteristics of the processors
put to work (µs, ns, ps, etc.)).
Words belonging to Lui (τi) integrate parameters ri, Di and Ti by enumer-
ating job inactivity in terms of time units. A word which describes the
behaviour of a task on a time interval of duration t is composed of letters
whose individual time interval is of length ui, then t must be a multiple of ui:
t←−−−−−−−−−−→
ui←→a
ui←→a . . .
ui←→a
. Computing the language Lui (τi) involves the translat-
ing of time values Ti, Di and ri into word lengths. For Ti, for instance, we get
the Figure
Ti←−−−−−−−−−−→
ui←→x
ui←→x . . .
ui←→x
: the inactivity of a task for a time Ti would
then be expressed by the word •
Ti
ui .
On the one hand ri, Di and Ti are usually greater than 20ms, on the other
hand ui is about some µs. Since external time speciﬁcations for jobs can
often be reviewed by constraining or relaxing them (these modiﬁcations must
be compatible with external speciﬁcations of the captors and activators), we
suppose in the following that Ti
ui
∈ N, Di
ui
∈ N and ri
ui
∈ N.
The expression of Lui (τi) comes from the translation into time units of the
time speciﬁcations of the job (period, deadline and ﬁrst activation date). Then,
27
u = 6u = 8
u = gcd(8,6) = 2 
p a a va
50 1 2 3 4
ava pa a a
0 1 52 3 4 5 6
v aa pa aa aa a aa a aa a aa a av a
104 7 131
118 142 5
1290 153 6
16
17
104 7 131
118 142 5
1290 153 6
16
17
pa a aa a aa a aa a aa a aa a a
φ
1
4 φ
1
3
↔Product
↔Product/
Figure 10. CPU time units and observation time units
for the job τi, whose behaviours of Pτi are the (ωk)k∈I (see §5.1), we obtain
L (τi) = Center

• rτui



⋃
k∈I
(
ωkW•
Di−|ωk|
ui
) •Ti−Diui


∗

We call Validity class of τi the set
L© (τi) = {Lu (τi) , where u ∈ N∗, ri ∈ uN, Di ∈ uN and Ti ∈ uN}
This set collects all languages that model operational behaviors of τi on all
possible classes of targets, in terms of CPU speed: note that the number of
languages in this class depends on the unit u as it is expressed in (µs, ns,
etc.), the choice of unit being up to the user .
To map languages Lu1 (τ1) and Lu2 (τ2) on Lu (τ1) and Lu (τ2), we use the
morphism φuui, which is deﬁned in the following way (see Figure 10 for the use
of this morphism):
Definition 10 Let u ∈ N∗, ui ∈ uN∗, Σ = {a, •} be the alphabet associated
with a job, and Σ′ = {P, V } be an alphabet associated with a resource-like
constraint. The morphism φuui is deﬁned in the following way:
φuui : Σ ∪ Σ′ → (Σ ∪ Σ′)
ui
u ,


• → •uiu
a → auiu
P → Pa(uiu −1)
V → a(uiu −1)V
Note that by induction, φuui not only addresses task behaviours involved by a
single resource, but also those involved by many resources.
We can now give the computing process for synchronized products :
28
(1) The input datas are the system Γ (composed of the τi’s), the execution
context C, the Lui (τi)’s, and the ui’s.
(2) We compute u = gcd
i∈[1,n]
(ui).
(3) For each τi, we compute the language Lu (τi), which is equivalent to the
language Lui (τi) in the sense that both languages belong to L©(τi). Note
that by construction, Lu (τi) is unique.
(4) We compute the synchronized product language Lu
(
Γ
C
)
, following the
techniques presented in previous sections, since all languages now share
the same time unit.
6.2 feasibility Decision
This synchronized product language is associated with a unique time unit,
and it is a regular language. Consequently, theorem 2 remains valid.
7 Computing techniques
The decision process is based upon both the computing of the center of the
synchronized product and the evaluation of the strong feasibility (theorem 2).
Computing synchronized products is based upon classical ﬁlter techniques[10]:
the synchronized product is a subset of the homogeneous product: we construct
it by starting from the initial state (it is unique), and by building accessible
states, i.e. states whose incoming edges are labeled with elements of the current
synchronization set (according to Arnold-Nivat’s technique) . To limit the size
of intermediate computing automata , we use the principle the more resources
the job uses, the earlier its integration in the synchronized product.
The center operation is likewise implemented through ﬁltering techniques,
which can be applied while building the automaton: one must decide, for each
edge to be built, if it leads to a valid or an invalid state.
The reader can observe the details of computings using these techniques in
the synchronized product trace tables for the AMADO project validation (see
§3.5, §4.3 and §5.3): the consequence of this technique is the size-limitation of
temporary automata. Here, we are trying to lessen this limitation by avoiding
the construction of useless components belonging to the product automaton.
29
iC (t)
TiDi t
ri +kTi ri +(k+1)Ti
t
past
Ci
future
now
di
iL (t)
 ω 
iD (t)
Figure 11. Dynamic time parameters of tasks
7.1 Improvment criterion
By studying the dynamic load of the system when in state s of the automaton,
one can detect edges outgoing from s and approaching invalid components of
the automaton. The goal of this section is to point out an analytic criterion
to detect such edges as frequently as possible, in order to omit them in the
construction of the automaton.
We deal with context D (∆)CCV T (p). All reasonings involve the synchron-
ized product automaton, not automata associated with individual jobs. Thus,
they also stand for context D (∆)SCV T (p), since a unique time unit is asso-
ciated with the synchronized product in both frameworks.
Let us have a state s of Au
(
Γ
D(∆)CCV T (p)
)
. We consider an edge e, labelled
with x, outgoing from s. This edge is useless if for every word α which labels a
path from the initial state to s, there does not exist a word β such that αxβ ∈
Lu
(
Γ
D(∆)CCV T (p)
)
. Deciding this from minimal information is possible. Since
generic automata associated with jobs only accept time-valid behaviours, time
constraints need not be controlled when computing the synchronized product:
the only constraints requiring consideration are resource synchronization
(resp. message transmission). Then, we must deﬁne an analytical criterion,
addressed when synchronizing with a resource, in order to compute the validity
of each edge to build. The aim of this part is to deﬁne the criterion.
Recall that for τi, Cτ is computed in terms of time units. To be compared with
both the Di, Ti, and so on, it must be expressed in absolute time, by using
the formula Ciui.
We note by TΓ the value lcm
i∈[1,n]
(Ti).
We call Li(t) the dynamic laxity of task τi at time t: it is the number of
possible idle time units for τi before its next deadline (see Figure 11). The
past of Γ is a behaviour between times 0 and t: it is modeled by a word ω of
Lu
(
Γ
D(∆)CCV T (p)
)
of length t. Thus, the laxity Li(t) can always be computed
30
from ω. That is why in the following, we note Li(t) as well as Lτ (ω). The same
notation is also used for the dynamic CPU load Ci(t) (remaining CPU load
for τik to be completed, see Figure 11).
Let τik be the k
th instance of τi, presumed to be on at time t. From ω, the
dynamic laxity Li(t) of τik can be obtained in the following way. By con-
struction, πi(ω) can be broken down into ωbaωpi1 . . . ωpik−1µ: ωba models the
inactivity of τi before its ﬁrst activation, the ωpij ’s its past completed in-
stances, and µ the beginning of the ongoing instance τik. We consequently ob-
tain ∀j ∈ [1, k − 1] ,
∣∣∣ωpij
∣∣∣ = Ti and |µ| ≤ Ti. There exists a set Λ of words such
that ν ∈ Λ ⇒ |µν| = Ti ∧ πi(ω)ν ∈ Lu (τi). Li(ω) is obtained as Min
ν∈Λ
(|ν|•):
it is the most constrained dynamic laxity of τik induced by the scheduling
sequence ω.
We note by Σi the alphabet associated with Lu (τi). A word β of
i=n+r
Π
i=1
Σi is
valid (and then must not be ﬁltered by the criterion) if ωβ ∈ Lu
(
Γ
D(∆)CCV T (p)
)
:
if this property stands, the behaviour ωβ leads Γ, at time t+ |β|, to reach the
activation of the k + 1th instance of τi according to both time and resource
constraints. If not, choosing e leads to a time fault: e may be omitted in the
construction of Au
(
Γ
D(∆)CCT (p)
)
.
[13] gives such a criterion for the context D (∆)CCT (1). It uses the order ≺ω
on Γ, which is deﬁned in the following way: at time t (i.e. at the end of ω),
τi ≺ω τj ⇔ Li(ω) < Lj(ω). The criterion is deﬁned by:
ωβ ∈ Lu
(
Γ
D (∆)CCV T (1)
)
⇒ ∀τi ∈ Γ, Σ
τj∈Γ
τjωτi
(Cj (ωβ)) ≤ Li (ωβ)
u
At this point, we extend this criterion to the context D (∆)CCV T (p).
We obtain:
Theorem 3
ωβ ∈ Lu
(
Γ
D (∆)CCV T (p)
)
⇒ ∀τi ∈ Γ, Σ
τj∈Γ
τjωτi
Cj(ωβ)
p
≤ Li(ωβ)
u
Proof
We enrich the notations we consider for context, by including time units in
their descriptions: we note D (∆)CCT (p [u]) to indicate the (common) time
unit associated with the p processors of the target system.
Let Cp be a D (∆)CCT (p [u]) conﬁguration, ω ∈ Lu
(
Γ
D(∆)CCV T (p[u])
)
and
31
tt
t
t
t
u
u
Multi-
processor 
scheduling
Mono-
processor 
scheduling
Figure 12. Equivalent mono-processor model
β ∈ i=nΠ
i=1
Σi, such that ωβ ∈ Lu
(
Γ
D(∆)CCV T (p[u])
)
.
We consider a conﬁguration C1 following D (∆)CCT
(
1
[
u
p
])
: its processor is
p times faster than the p processors of Cp. The load capacities of C1 and Cp
are identical. There exist ξ ∈ Lu
p
(
Γ
D(∆)CCV T (1)
)
and β ′ ∈ i=nΠ
i=1
Σi such that (see
Figure 12)


|ξ| = p× |ω|
∀i ∈ [1, n], π¬• (πi(ω)) = π¬• (πi(ξ))
|β ′| = p
∀i ∈ [1, n], π¬• (πi(β)) = π¬• (πi(β ′))
∀k ∈ [1, |ω|]
∀i ∈ [1, n]


πi (ωk) = • ⇔ πi (ωk) = πi
(
π¬•
(
ξ(k−1)×p+1 . . . ξk×p
))
πi (ωk) = • ⇔ πi
(
π¬•
(
ξ(k−1)×p+1 . . . ξk×p
))
= 
The correlation between duration and length leads Li(ωβ) to be equal to
Li(ξβ
′), for each τi ∈ Γ, and ω to be equivalent to ξ. Then, since ∀τi ∈
Γ, uCi(ω) = p× upCi(ξ), we obtain Σ
τj∈Γ
τjξτi
u
p
(Cj(ξβ
′)) = Σ
τj∈Γ
τjωτ
(
uCi(ωβ)
p
)
.
Since ωβ ∈ Lu
(
Γ
D(∆)CCV T (p[u])
)
, we have ∀x ∈ N, ∃α ∈
(
i=n
Π
i=1
Σi
)x (i=n
Π
i=1
Σi
)∗
such that ωβα ∈ Lu
(
Γ
D(∆)CCV T (p[u])
)
. By a construction such as that of ξ and
β ′, we can build a word α′ of length x such that ξβ ′α′ ∈ Lu
p
(
Γ
D(∆)CCT(1[up ])
)
.
As a result, ξβ ′ belongs to the center of the mono-processor language, and the
32
CPU Load
⇓
  The criterion 
addresses x% of the 
systems with
CPU load λ tested
x
λ
90
80
70
60
50
40
30
20
10
0
100
0 10 20 30 40 50 60 70 80 90100
Figure 13. Criterion base
mono-processor criterion stands. Then, we obtain
∀τi ∈ Γ, Σ
τj∈Γ
τjξτi
(
u
p
Cj(ξβ
′)
)
≤ Li(ξβ ′)
Since Σ
τj∈Γ
τjξτi
u
p
(Cj(ξβ
′)) = Σ
τj∈Γ
τjωτ
(
uCj(ωβ)
p
)
, we obtain
∀τi ∈ Γ, Σ
τj∈Γ
τjωτi
(
u
Cj(ωβ)
p
)
≤ Li(ωβ)
and then
∀τi ∈ Γ, Σ
τj∈Γ
τjωτi
(
Cj(ωβ)
p
)
≤ Li(ωβ)
u

7.2 Experimental analysis
Let us now evaluate the improvement brought about by this multi-processor
branching-bound criterion. This evaluation is performed by applying the op-
erational validity decision process with and without the use of the criterion
on a random sample ξ generated thanks to a real-time conﬁguration random
generator, which is designed to produce conﬁgurations to implement on multi-
processor targets. The generator we have used was proposed by J.Goossens and
C.Marq in [18]. Since operational validation is connected with CPU loads, this
sample is analysed by CPU load sections. For a real-time system Γ = (τi)i∈[1,n]
33
CPU Load
⇓
  The average memory gain 
involved by the criterion 
for addressed systems of 
CPU load λ is x %, and the 
optimal average gain 
(obtained by a clairvoyant 
algorithm) is y %
x
λ
y
9
8
7
6
5
4
3
2
1
0
10
0 10 20 30 40 50 60 70 80 90100
11
12
Figure 14. Memory gain involved by the criterion
designed to run under the context D (∆)CCT (p), the CPU load is
i=n
Σ
i=1
Ci
Ti
p
.
For each CPU load λ ∈ [0, 1], we call ξλ the subset of ξ composed of conﬁg-
urations whose CPU load is λ. We note ξ[λ1,λ2] the set ∪
λ∈[λ1,λ2]
ξλ. We do not
deal with conﬁgurations with CPU loads of less than 0.3, because they are of
negligible signiﬁcance in a real-time context.
The random sample ξ has been generated from a CPU load uniform random
law on the interval
[
3
10
, 1
]
. Then, ξ is partitioned in
{(
ξ[ i−110 ,
i
10 ]
)
i∈[4,10]
}
, and
each ξ[ i−110 ,
i
10 ]
contains around 200 conﬁgurations. On the bar graphs presented
in Figures 13, 14 and 15, each presented value corresponds to the average value
for the corresponding sample
{(
ξ[ i−110 ,
i
10 ]
)
i∈[4,10]
}
.
We evaluate the criterion ﬁrstly on its base aspect (is it often useful?), and
secondly on its improvement aspect (does it bring about a real improvement,
in both space and time complexity aspects?).
We get the following results:
• Firstly, we evaluate the criterion base (see Figure 13): for each sample ζ
of
{(
ξ[ i−110 ,
i
10 ]
)
i∈[4,10]
}
, we compute the operational validity decision for all
conﬁgurations of ζ . While computing, we enumerate the p conﬁgurations
whose operational validity decision computing is improved by the use of the
criterion: the value x% presented on the ﬁgure is p|ζ| .
34
Observing Figure 13 shows that the criterion is nearly always useful for
real-time addressed conﬁgurations (CPU loads over 70%).
• Secondly, the main problem of model checking techniques in such studies is
space explosion. Such criteria are usually followed in order to improve both
space and time complexities. In Figure 14, we evaluate space gain.
This gain is computed from the space used by the operational validity
decision algorithm: computing automata for each job, making products and
intersections, computing the center language accepting automaton, evaluat-
ing the emptiness of this center language by analysing this automaton. For
C ∈ ζ , let us call bspace(C) the space complexity (i.e. the larger instantan-
eous amount of memory needed by the decisional algorithm) for obtaining
the validity decision following this technique. Now, let us call cspace(C) the
space complexity of the algorithm when it is upgraded with the criterion,
and let us call ospace(C) the space complexity of a clairvoyant algorithm,
which built only the edges that remain in the ﬁnal automaton.
In Figure 14, we present the average values, for the ten sample ξ[ i−110 ,
i
10 ]
previously described, of both 1 − cspace(C)
space(C)
(they compose the bright his-
togram) and 1 − ospace(C)
space(C)
(they compose the dark histogram). These two
histograms provide a comparison between the criterion and the optimal
possible performance.
We can see that the clairvoyant algorithm never deletes more that about
10% of built edges. In Section 3, we have designed our model in order to
collect only valid scheduling sequences. By only improving our basic space
complexity about 10% for the worst case section, and by about 5% on the
others, the clairvoyant algorithm both validates our approach and yields
improvements that would otherwise be hard to obtain. However, we see
on Figure 14 that our criterion improves space complexity about 3% (for
addressed conﬁgurations), that is to say about 50% of the clairvoyant al-
gorithm capacities (the optimum). However, for Section [80%, 90%], the cri-
terion improves only about 25% with regard to the optimum. This case can
be explained in the following way: such conﬁgurations are not loaded enough
to often be invalid, but are loaded enough to lead to deadline missings gen-
erated by markedly earlier scheduling decisions. Such time properties lead
the center automaton computing to delete a great part of the graph: this
is precisely the scope of improvement of the criterion, so it is natural that
having to process a larger part of the graph than in other sections, it loses
eﬃcency against the clairvoyant algorithm.
• Thirdly, evaluating the criterion uses processor time in addition to basic al-
gorithm processor time. Here, we cannot consider the claivoyant algorithm
as a reference, since such an algorithm does not exist (because of the com-
plexity class of the problem). That is why, on Figure 15, we evaluate only
the time gain involved by use of the algorithm: in many cases, the addi-
tional CPU time involved by the criterion is made up for by the edge gain
obtained: the only section to be in deﬁcit is [30%, 40%]. This deﬁcit stands
35
CPU Load
⇓
  For addressed 
systems whose CPU 
load λ, the criterion 
makes the execution 
time better of x %
x
λ
3
2
1
0
-1
-2
-3
6
5
4
7
0 10 20 30 40 50 60 70 80 90100
10
9
8
Figure 15. Time gain involved by the criterion
because for such systems, the basic algorithm is very eﬃcient (see Figure
14), and then the additional expense involved by computing the criterion
for each edge is not made up for by avoiding edges. For addressed sections,
the time-gain is over 6%, and about 10% for the Section [80%, 90%]. Recall
that space improvement of the criterion for this section is only ab23out 2.5%
(see Figure 14), but these 2.5% are connected with a time gain about 10%:
the best of all sections.
So, these experimentations show that our model achieves its objectives, since
it built only a few useless edges, and that the criterion is deﬁnitely useful for
conﬁgurations addressed in real-time conception processes.
8 Conclusion
In this paper, we have used algebraic compositions of regular languages to
deﬁne a model to decide upon the operational validity of periodic real-time
systems. This model is valid for periodic real-time systems with oﬀsets, where
jobs can communicate or share critical resources, and it takes hardware spe-
ciﬁcations into account (e.g. processors of diﬀerent speeds).
Experiments have shown that this model is quite eﬃcient: the validity decision
process built very few useless edges, and the branching-bound criterion reduces
decision execution times by 5% to 10%. Moreover, the AMADO project study
shows that this approach is useful for Real-Time Conception Aid Design. The
classes of properties that can be evaluated are currently being studied.
36
This work yields many contributions pertaining to the real-time operational
validation problem:
• Reducing job CPU loads to their worst case is known to lead to acceptance of
invalid conﬁgurations. We have provided a novel methodology which avoids
worst case analysis in the operational validation process.
• This methodology applies to mono-processor target architectures, but (and
this is new) also to multi-processors.
• Since we represent the set of valid sequences with regular languages, the
cyclicity theorem [25][13] remains valid for multi-processor scheduling.
The second step of this research consists in deﬁning and experimenting meas-
ure indicators useful in software quality assessment. We are presently working
in two directions:
• we are characterizing the classes of indicators we can compute on the basis
of our model: from a technical point, we are comparing the respective per-
formances of enumeration-based indicators [33] and of probability-based in-
dicators [30][28] for their computing time as well as for their expressivity
powers;
• we are characterizing, in the automaton, the paths corresponding to RM
scheduling sequences (resp. DM, EDF, LF): measure indicators will be useful
in determining how a real-time system needs to be modiﬁed so as to be
rendered valid for a speciﬁc on-line policy.
Moreover, our results encourage us to further the approach we have studied to
more general systems: we have extended the scope of this methodology to real-
time systems composed of both periodic and sporadic jobs [17]: a sporadic job
is associated with an alarm signal, which is obviously not periodic. At another
location, observation of the geometric properties of the automata’s graphs has
prompted us to adopt a new approach toward validating real-time, and it
appears to be highly eﬃcient [24]. At some future time, we are planning to
apply these results so as to provide assistance for real-time conceivers in the
operational speciﬁcation process.
References
[1] DGA (French Arms Procurement Agency), ONERA (French aeronautics, and
space research centre). International universities mini uav competition. closed
in September, 2005. http://concours-drones.onera.fr/.
[2] K. Altisen, A. Clodic, F. Maraninchi, and E. Rutten. Using controller-synthesis
techniques to build property-enforcing layers. In Proc. of 12th European
37
Symposium on Programming, volume 2618 of Lecture Notes in Computer
Science, pages 174–188. Springer Verlag, April 2003.
[3] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science,
126:183–235, 1994.
[4] R. Alur and D.L. Dill. Automata for modeling real-time systems. In
Proceedings of the 17th International Colloquium on Automata, Languages and
Programming, volume 443 of Lecture Notes in Computer Science, pages 322–
335. Springer-Verlag, London, UK, 1990.
[5] T. Amnell, E. Fersman, L. Mokrushin, P. Pettersson, and W. Yi. Times: a
tool for schedulability analysis and code generation of real-time systems. In
Proc. of 1st International Workshop on Formal Modeling and Analysis of Timed
Systems, volume 2791 of Lecture Notes in Computer Science, pages 60–72,
September 2003.
[6] A. Arnold. Finite transition systems. Prentice Hall, 1994.
[7] A. Arnold, A. Griﬀault, G. Point, and A. Rauzy. The altarica formalism for
describing concurrent systems. Fundamenta Informaticæ, 40:109–124, 2000.
[8] T.P. Baker. Stack-based scheduling of real-time processes. The Journal of
Real-Time Systems, 3:67–99, 1991.
[9] J.P. Beauvais. E´tude d’Algorithmes de Placement de Taˆches Temps Re´el
Pe´riodiques Complexes dans un Syste`me Re´parti. PhD thesis, E´cole Centrale
de Nantes, France, 1996.
[10] P. Bozanis, N. Kitsios, C. Makris, and A.K. Tsakalidis. New upper bounds
for generalized intersection searching problems. In Proc. of 22nd International
Colloquium on Automata, Languages and Programming, pages 464–474, 1995.
[11] P. Bre´mond-Gre´goire, J. Choi, and I. Lee. A complete axiomatization of ﬁnite-
state acsr processes. Information and Computation, 138(2):124–159, November
1997.
[12] A. Choquet-Geniet. Un premier pas vers l’e´tude de la cyclicite´ en environnement
multi-processeur. In Proc. of Real-Time Systems 2005, pages 289–302. Teknea,
2005.
[13] A. Choquet-Geniet and E. Grolleau. Minimal schedulability interval for real-
time systems of periodic tasks with oﬀsets. Theoretical Computer Science,
310:117–134, 2004.
[14] A. Colin and I. Puaut. Worst case execution time analysis for a processor with
branch prediction. Real-Time Systems, Special issue on Worst-Case Execution
Time Analysis, 18(2):249–274, April 2000.
[15] M.L. Dertouzos and A.K. Mok. Multiprocessor on-line scheduling of hard-real-
time tasks. IEEE Transactions on Software Engineering, 15(12):1497–1506,
December 1989.
38
[16] S. Eilenberg. Automata Languages and Machines, volume A. Academic Press,
1976.
[17] D. Geniet and J.P. Dubernard. Scheduling hard sporadic tasks with regular
languages and generating functions. Theoretical Computer Science, 313:119–
132, 2004.
[18] J. Goossens and C. Macq. Limitation of the hyper-period in real-time periodic
task set generation. In Proc. of Real-Time Systems 2001, pages 133–148. Teknea,
2001.
[19] R.L. Graham, E.W. Lawler, J.K. Lenstra, and A.H.G. Rinnooy Kan.
Optimization and approximation in deterministic sequencing and scheduling:
a survey. Annals of Discrete Mathematics, 5:287–326, 1979.
[20] E. Grolleau. Ordonnancement Temps-Re´el Hors-Ligne Optimal a` l’Aide de
Re´seaux de Petri en Environnement Monoprocesseur et Multiprocesseur. PhD
thesis, Univ. Poitiers, 1999.
[21] E. Grolleau and A. Choquet-Geniet. Oﬀ-line computation of real-time schedules
by means of petri nets. Journal of Discrete Event Dynamic Systems, 12:311–
333, 2002.
[22] J. Carpenter S. Funk P. Holman, A. Srinivasan J. Anderson, and S. Baruah.
A Categorization of Real-Time Multiprocessor Scheduling Problems and
Algorithms, chapter Handbook of Scheduling: Algorithms, Models, and
Performance Analysis, pages 30–1—30–19. Chapman and Hall/CRC, 2004.
[23] P. Krca´l and W. Yi. Decidable and undecidable problems in schedulability
analysis using timed automata. In Kurt Jensen and Andreas Podelski, editors,
Proc. of the 10th International Conference on Tools and Algorithms for the
Construction and Analysis of Systems, volume 2988 of Lecture Notes in
Computer Science, pages 236–250. Springer-Verlag, 2004.
[24] G. Largeteau, D. Geniet, and E´. Andres. Discrete geometry applied in hard
real-time systems validation. In Proc. of 12th Discrete Geometry for Computer
Imagery, volume 3429 of Lecture Notes in Computer Science, pages 23–33.
Springer-Verlag, 2005.
[25] J.Y.T. Leung and M.L. Merill. A note on preemptive scheduling of periodic
real-time tasks. Information Processing Letters, 11(3):115–118, 1980.
[26] C.L. Liu and J.W. Layland. Scheduling algorithms for multiprogramming in a
hard real-time environment. Journal of the ACM, 20(1):46–61, 1973.
[27] A.K. Mok. Fundamental Design Problems for the Hard Real-Time
Environments. PhD thesis, MIT, 1983.
[28] A.M. Odlyzko. Enumeration of strings. In A. Apostolico and Z. Galil, editors,
Combinatorial Algorithms on Words, volume 12 of NATO Advance Science
Institute Series. Series F: Computer and Systems Sciences, pages 205–228.
Springer-Verlag, 1985.
39
[29] S. Pailler and A. Choquet-Geniet. Oﬀ-line scheduling of real-time applications
with variable duration tasks. In Proc. of 7th Workshop on Discrete Event
Systems, pages 373–378, 2004.
[30] A. Paz. Introduction to Probabilistic Automata. Academic Press, 1971.
[31] L. Sha, R. Rajkumar, and J. Lehockzy. Priority inheritance protocols : an
approach to real-time synchronisation. IEEE Transaction Computers, 39(9),
1990.
[32] I. Sommerville. Software Engineering. Addison-Wesley, 2004.
[33] L. Thimonier. Generating Functions and Random Words. The`se d’e´tat, Univ.
Paris 11, October 1988.
[34] J. Xu and D.L. Parnas. Scheduling processes with release times, deadlines,
precedence and exclusion relations. IEEE Transactions on Software
Engineering, 16(3):360–369, 1990.
Appendix: Notations and Definitions used in this paper
Mathematical notations
Π
i∈I
Ei Cartesian product of all sets Ei such that i ∈ I
∪
i∈I
Ei Union of all sets Ei such that i ∈ I
∩
i∈I
Ei Intersection of all sets Ei such that i ∈ I
A \B {x ∈ A ∪B such that x ∈ A ∧ x ∈ B}
πB ∈ BA Function such that x ∈ B → πB (x) = x and x ∈ B → πB (x) =

π¬B ∈ BA Function such that x ∈ B → π¬B (x) =  and x ∈ B →
π¬B (x) = x
Words and languages
|ω| Length (number of characters) of word ω
|ω|x Number of occurrences of pattern x in the word ω
Reg(Σ) Set of regular languages on alphabet Σ
Pref(ω) Set of preﬁxes of ω (can be a word or a language)
Center(L) Center of the language L
ax The pattern a repeated x times
Ω
i∈I
Li Homogeneous product of all languages Li such that i ∈ I
40
W Shuﬄe of languages
Real-time tasks
Γ the currently considered real-time system
τi The ith task of a real-time system
τij The jth instance of task τi
ri First activation date of task τi
Di Critical delai of task τi
Ci CPU load of task τi
Ti Period of task τi
Li (t) Dynamic laxity of task τi
Ci (t) Dynamic CPU load of task τi
Scheduling contextes
ICCT (p) - Indepedent tasks - Periodic real-time system
- Common clock - p processors
- Centralized system
D (∆)CCT (p) - Dependent tasks with constraints ∆ - p processors
- Common clock - Periodic real-time system
- Centralized system
EDF Earliest Deadline First scheduling policy
LL Least Laxity First scheduling policy
RM Rate Monotonic scheduling policy
DM Deadline Monotonic scheduling policy
Model
a The task is running for one observation time unit
• The task is suspended for one observation time unit
L
(
Γ
C
)
Model language for system Γ under context C
A
(
Γ
C
)
Acceptation ﬁnite automaton for L
(
Γ
C
)
Lu
(
Γ
C
)
Model language for system Γ under context C and observation
time unit u
Au
(
Γ
C
)
Acceptation ﬁnite automaton for Lu
(
Γ
C
)
SR Arnold-Nivat synchronization set for resource R management
protocol
41
φpn Transformation function which replaces a by a
n
p , P by Pa
(
n
p
−1
)
and V by a
(
n
p
−1
)
V . p must be element of nN
42
