Boomerang: Real-Time I/O Meets Legacy Systems by Golchin, Ahmad et al.
ar
X
iv
:1
90
8.
06
80
7v
1 
 [c
s.O
S]
  1
9 A
ug
 20
19
Boomerang: Real-Time I/O Meets Legacy Systems
Ahmad Golchin
golchin@cs.bu.edu
Boston University
Boston, MA 02215
Soham Sinha
soham1@cs.bu.edu
Boston University
Boston, MA 02215
Richard West
richwest@cs.bu.edu
Boston University
Boston, MA 02215
Abstract
This paper presents Boomerang, a system that integrates
a legacy non-real-time OS with one that is customized for
timing-sensitive tasks. A relatively small RTOS benefits from
the pre-existing libraries, drivers and services of the leg-
acy system. Additionally, timing-critical tasks are isolated
from less critical tasks by securely partitioning machine re-
sources among the separate OSes. Boomerang guarantees
end-to-end processing delays on input data that requires
outputs to be generated within specific time bounds.
We show how to construct composable task pipelines in
Boomerang that combine functionality spanning a custom
RTOS and a legacy Linux system. By assigning time-critical
I/O to the RTOS, we ensure that complementary services
provided by Linux are sufficiently predictable to meet end-
to-end service guarantees. While Boomerang benefits from
spatial isolation, it also outperforms a standalone Linux sys-
tem using deadline-based CPU reservations for pipeline tasks.
1 Introduction
Mixed-criticality systems require the spatial and temporal
isolation of tasks to meet timing, safety and security con-
straints [9]. Additionally, these systems involve real-time
task pipelines to implement sensing, processing and actu-
ation. For example, an automotive system supports low-criticality
infotainment services, which must be isolated from highly
critical driving assistance tasks that process sensor data to
avoid vehicle collisions.
Spatial isolation ensures that one software component
cannot alter another component’s private code or data, or
interfere with the control of its devices. Temporal isolation
ensures that a software component cannot affect when an-
other component accesses a resource (e.g., a CPU). Lack of
temporal and spatial isolation leads to potential timing or
functional failures. Failure of a highly critical task has po-
tentially catastrophic consequences, while failure of a low-
criticality task has less significant consequences.
One way to support mixed-criticality systems is to parti-
tion tasks onto separate hardware. This ensures less critical
tasks are unable to directly affect those of greater import-
ance. Automotive systems have traditionally taken this ap-
proach, by assigning a different functional component to a
separate electronic control unit (ECU) [31]. However, as the
complexity of these systems increases, hardware costs, wir-
ing and packaging become prohibitive. For this reason, new
hardware platforms that integrate the functionality of mul-
tiple hardware components, including multicore processors,
accelerators, GPUs, and various input/output (I/O) interfaces
are now emerging. Tesla’s AutoPilot 2.x, for example, already
uses platforms such as the Nvidia Drive PX2 in its cars, to
assist with vehicle control.
An integrated solution, combining tasks of different critic-
ality levels on the same hardware, requires an operating sys-
tem to correctly enforce temporal and spatial isolation. Par-
titioning operating systems such as Tresos [9] and LynxOS
[25] have been developed for automotive and avionics sys-
tems, respectively, in accordancewith standards such as AU-
TOSAR [5] and ARINC653 [43], to isolate tasks of different
criticality levels. However, these types of systems are not
able to take advantage of legacy software, including librar-
ies and device drivers written for the newest hardware. In
contrast, systems such as Linux, Windows and OS X are
regularly updated with features that would take an oper-
ating system developer years to reproduce in a clean-slate
design. Unfortunately, general purpose systems lack the ne-
cessary temporal and spatial requirements, including the
ability to perform real-time sensing, processing and actu-
ation required by emerging mixed-criticality systems.
In this paper, we present a system called Boomerang.Boom-
erang uses a partitioning hypervisor [45], which separates
the hardware of a physical machine into different guest do-
mains that directly manage their assigned resources. This
contrasts with a conventional multiplexing (or consolidat-
ing) hypervisor, which intervenes in the sharing of physical
machine resources among multiple guests. Boomerang’s ap-
proach removes the hypervisor from resource management,
once CPU cores, physical memory and I/O devices are as-
signed to separate guests.
Using separate partitions, Boomerang supports the co- ex-
istence of a real-time operating system (RTOS) and a legacy
system such as Linux. Linux provides a domain for less tim-
ing and safety-critical tasks, while providing a rich set of
pre-existing libraries and device drivers. For example, OpenCL,
CUDA, drivers for hardware accelerators, cameras, and ma-
chine learning algorithms are all available in Linux, andwould
be cumbersome to write for a new RTOS. At the same time,
the RTOS partition in Boomerang provides the timing guar-
antees for real-time tasks to perform sensor data processing
and actuation.
1
Key to this paper’s contributions is the construction of a
composable tuned pipe abstraction. This abstraction imple-
ments real-time task pipelines that ensure end-to-end ser-
vice guarantees on sensing, processing and actuation. As
stated above, many emerging mixed-criticality systems re-
quire tasks to process sensory inputs before subsequently
generating outputs that affect the actuation of a device. For
example, a cruise control system in an electric car may col-
lect data from cameras and speed sensors before determin-
ing that the motors need to change speed to keep a safe dis-
tance to the vehicle ahead.
Novel to Boomerang’s composable tuned pipes is the abil-
ity for an integrated RTOS to manage I/O that requires ser-
vices in a legacy system such as Linux.We show how to con-
struct composable task pipelines in Boomerang that com-
bine tasks spanning a custom RTOS and a legacy Linux sys-
tem. By assigning time-critical I/O to the RTOS, we ensure
that complementary services provided by Linux are suffi-
ciently predictable to meet end-to-end service guarantees.
We compare our approach to one based solely on Linux, us-
ing specific cores to handle timing-sensitive I/O. Boomerang
not only benefits from spatial isolation, it also outperforms
a standalone Linux system using deadline-based CPU reser-
vations for pipeline tasks.
The following section provides background to the prob-
lem addressed by Boomerang. Section 3 describes the Boom-
erang partitioning hypervisor and composable tuned pipes.
An evaluation of Boomerang is described in Section 4. Re-
lated work is discussed in Section 5. Finally, conclusions and
future work are described in Section 6.
2 Background
Boomerang supports composable task pipelines that form
a round-trip path, originating from a device input and ulti-
mately finishing with a device output. It is designed specific-
ally for applications that require sensing, processing and ac-
tuation. The system name is based on the idea that a boomer-
ang follows a path that returns to its starting point, which
in our case is a device, although not necessarily the same
device that produced input data.
Figure 1(a) shows the round-trip path in a typical OS. A
device acknowledges the completion of an I/O request by
generating an interrupt. Most systems handle interrupts at
priorities above those of software tasks. They also incor-
rectly charge interrupt handling to the task that was pree-
mpted by the arrival of the interrupt. Worse still, a burst of
interrupts within a short time may delay a time-critical task
enough to miss its deadline [13, 56].
Figure 1(a) uses a dedicated core for I/O processing of
device interrupts to avoid interference with task execution,
as described above. However, the single OS approach does
not ensure sufficient spatial isolation for domains that re-
quire the heightened safety and security of a partitioned
Figure 1. (a) Round-trip I/O in a single OS, and (b) possible
I/O paths in a Boomerang partitioning hypervisor.
system. In contrast, Figure 1(b) shows how Boomerang sup-
ports three different classes of I/O using a partitioning hy-
pervisor [35, 48] to separate highly critical timing sensitive
operations from less critical system components.
In the first case, all I/O is contained within an RTOS. Real-
time tasks and interrupt handlers for device I/O share the
same processor cores, as the RTOS ensures predictable tim-
ing guarantees on task and I/O processing.
In the second case, the I/O path traverses a task pipeline
that enters into a legacyOS via secure sharedmemory. Here,
the legacy OS provides services that would require signific-
ant effort to port to the RTOS. The round-trip I/O path in
case 2 is still able to meet end-to-end timing guarantees be-
cause the tasks in the legacy OS are isolated from timing
unpredictability caused by interrupts. This is possible by de-
moting interrupts to priorities that are distinctly lower than
those of tasks. Additionally, legacy OSes such as Linux sup-
port SCHED_DEADLINEexecution for tasks, thereby ensuring
some degree of timing guarantees, as long as there is no in-
terference from interrupts [17].
In the third case, it may be necessary for some I/O to be
handled by a legacy system, which has drivers and libraries
that are unavailable in the RTOS. For example, a series of
cameras used in a driverless car need suitable device drivers
andmachine learning algorithms to perform object classific-
ation. The outcomes of object classification dictate whether
information needs to be communicated to the RTOS to issue
real-time outputs that adjust vehicle motion. As with the
single OS approach, I/O originating in case 3 may handle
interrupts on a dedicated core, to avoid interference with
tasks that serve RTOS requests in case 2. Alternatively, I/O
processing in the legacy OS is given lower priority than task
execution, leaving critical I/O to the real-time OS.
2.1 VCPU Scheduling
Boomerang’s partitioning hypervisor provides support for
an RTOS to co-exist on the same platform as a legacy sys-
tem such as Linux. Our in-house RTOS assigns threads to
virtual CPUs (VCPUs), which are then scheduled on phys-
ical CPUs (PCPUs) 1. Each VCPU is specified a processor
capacity reserve [28] consisting of a budget capacity,C , and
period, T . A VCPU is required to receive at least C units of
execution time every T time units when it is runnable, as
1A PCPU is either a processor core, hardware thread, or individual CPU.
2
long as a schedulability test [21] is passed when creating
new VCPUs. This way, the scheduler guarantees temporal
isolation between threads associated with different VCPUs.
Boomerang’s RTOS assigns tasks to Main VCPUs, which
are implemented as Sporadic Servers [40]. Each Sporadic
Server keeps track of its VCPU’s budget usage, and con-
structs a list of timestamped future replenishments, to en-
sure timing guarantees. By default each Sporadic Server VCPU
is scheduled using Rate-Monotonic Scheduling (RMS) [24].
The VCPU with the smallest period, T , has the highest pri-
ority. It is possible to increase the utilization bound of a set
of Sporadic Servers by using earliest deadline first schedul-
ing [24], where the deadline is set to the end of the VCPU’s
current period. However, this is a form of dynamic priority
scheduling, which increases scheduling overheads.
To ensure that tasks are isolated from interrupts, the RTOS
promotes interrupt handling to a schedulable thread context.
In Boomerang, all real-time interrupts are associated with a
source entity. The source entity is a task awaiting I/O com-
pletion (e.g., via a blocking read() system call), or a system
thread awaiting a kernel event. All such entities have a cor-
responding Main VCPU.
A top half handler executes when an interrupt occurs, and
determines the corresponding source entity. The top half
then inserts into a system ready queue an IO VCPU with a
dynamically calculated budget and period. These values are
derived from the source entity associated with the interrupt.
Finally, the interrupt is acknowledged, and all subsequent
handling occurs in a bottom half thread context, when the
corresponding IO VCPU is scheduled.
Each IO VCPU in Boomerang’s RTOS is given a utiliza-
tion bound,UIO . There is one IO VCPU for each device class,
with classes existing for USB, networking, ATA, and GPIO
devices, among others. When an IO VCPU is added to the
scheduler ready queue, its budget is set toUIO×TMain and its
period is set toTMain , whereTMain is the period of the Main
VCPU of the source entity associatedwith the interrupt. The
RTOS is then able to correctly schedule bottom half inter-
rupt handlers at the priority of the source task running on
a Main VCPU. This contrasts with systems such as Linux,
which schedule bottom halves (a.k.a., tasklets or softirqs) at
priorities that are not tied to the source of corresponding
interrupts.
The mapping of tasks and interrupt handlers to Main and
IO VCPUs, respectively, allows the RTOS to use different
policies for VCPU time management. While Main VCPUs
default to Sporadic Servers, IO VCPUs implement a simpler
scheme. They dynamically derive a budget from the Main
VCPUs they serve, as this avoids the overhead of maintain-
ing replenishment lists for short-lived interrupt service routines
(ISRs). This budget is eligible for use as long as the sustained
IO VCPU’s utilization does not exceed UIO . This policy is
shown to be effective for short-lived interrupt service routines
(ISRs), which would fragment a Sporadic Server budget.
Boomerang’s RTOS requires reprogramming of hardware
timers in one-shotmode, to determine the next system event.
This is similar to Linux’s tickless operation. As IO VCPUs
only have one budget replenishment to consider, rather than
a list, this leads to reduced timer reprogramming overhead.
Note that a traditional multiplexing hypervisor manages
the execution of VCPUs on behalf of all guests. In Boomer-
ang, VCPUs exist only in the RTOS. A non-real-time (legacy)
OS running in a separate guest domain is able to schedule
its own tasks directly on its assigned PCPUs.
2.2 Communication Model
Control flow in Boomerang is influenced by the path of data,
which originates and ends with a device. Data flow involves
a pipeline of communicating tasks. Each task processes its
input data to produce output, either for devices or subsequent
tasks in the pipeline. This leads to a communication model
characterized by: (1) the interarrival times of tasks in the
pipeline, (2) inter-task buffering, and (3) each tasks’ access
pattern to communication buffers.
Periodic versus AperiodicTasks.Aperiodic tasks have
irregular interarrival times, influenced by the arrival of data.
Similarly, interrupts occur when devices complete I/O.
Boomerang assumes that devices generate interrupts with
a minimum inter-arrival time necessary for pipeline pro-
cessing to complete within specific throughput, delay and
loss bounds. For this to occur, tasks are either configured to
run periodically, using whatever data is available at their in-
puts, or they must run aperiodically when new data is avail-
able. The semantics of task execution depends on whether
the pipeline works only with the freshest data (e.g., from a
sensor), or whether it must use all input data. Either way,
a task pipeline’s timing requirements assume that data will
propagate with a minimum inter-arrival time between tasks.
Register-based versus FIFO-based Communication.
A FIFO-based shared buffer is used in scenarios where data
history is an important factor. However, in sensor-data pro-
cessing the most recent data is often more important. For
example, a driving assistance system should always com-
pute outputs that affect vehicle dynamics from the latest
sensor data. FIFO-based communication results in loosely
synchronous communication: the producer is suspendedwhen
the FIFO buffer is full and the consumer is suspended when
the buffer is empty. Register-based communication achieves
fully asynchronous communication between two commu-
nicating parties using Simpson’s four-slot algorithm [39].
Implicit versus ExplicitCommunication.Explicit com-
munication allows access to shared data at any time point
during a task’s execution. This might lead to data inconsist-
ency in the presence of task preemption. A task that reads
the same shared data at the beginning and the end of its
execution might see two different values, if it is preemp-
ted between the two reads by another task that changes the
3
value of the shared data. Conversely, the implicit communic-
ation model [18] essentially follows a read-before-execute
paradigm to avoid data inconsistency. It mandates a task to
make a local copy of the shared data at the beginning of
its execution and to work on that copy throughout its exe-
cution. Simpson’s four-slot algorithm [39] ensures the read
and write stages avoid data corruption without blocking.
Boomerang supports both periodic and aperiodic tasks. It
also supports both register- and FIFO-based communication.
Implicit communication is enforced for data consistency.
3 Boomerang
The Boomerang partitioning hypervisor divides processor
cores, physical memory and I/O devices among guest do-
mains. Each guest thenmanages its physical resourceswithout
involvement of the hypervisor. This has two important prop-
erties: (1) the hypervisor is only used to bootstrap the sys-
tem and to establish secure communication channels between
guests using hardware extended page tables (EPTs) 2, and (2)
the hypervisor is removed from runtime resource manage-
ment of the physical machine, making its trusted code base
extremely small.
Boomerang’s partitioning hypervisor has a text segment
of less than 4KB, although more space is needed for EPTs
(e.g., 24KB for a 4GB guest). Given the hypervisor is not
accessed under normal guest operation, the system’s most
privileged ring of protection is less susceptible to security
attacks than a conventional OS image running directly on
hardware. In the latter case, system calls must pass control
to the OS kernel, whereas in Boomerang these are restricted
to the local guest.
Unlike traditional hypervisors that multiplex guests onto
the same shared physical machine, partitioning hypervisors
offer opportunities for applications that require security and
timing predictability. Hardware virtualization features isol-
ate guests, using an additional ring of protection reserved
for the hypervisor. At the same time, time-critical guests are
able to run real-time resource management policies without
being compromised by additional resourcemanagement policies
in the hypervisor.
We see partitioning hypervisors as being suitable formixed-
criticality systems, requiring spatial and temporal isolation
of application tasks and software components according to
different system criticality levels. For example, automotive
systems adhering to standards such as ISO 26262 [19] are
required to meet specific functional safety requirements, ac-
cording to several classes of automotive safety integrity levels
known as ASIL A-D. Software certified to ASIL D standard
operates at the most stringent safety level, where the risk
of failure is potentially life threatening. In contrast, ASIL
2Intel processors with VT-x capabilities refer to these tables as EPTs. AMD-
V processors have similar nested page tables (NPTs).
A applies to software that has a very low probability of sig-
nificant human injury even during failures. Other standards
such as ARINC 653 and DO-178B have similar requirements
for avionics systems. For these types of systems, it is pos-
sible to assign software to machine partitions according to
their safety integrity levels.
3.1 Composable Tuned Pipes
Figure 2. A tuned pipe.
Figure 2 shows a logical representation of a single tuned
pipe (a.k.a., tpipe). A pipe has one pipe processor and two end-
points, with one endpoint for input and the other for output.
A pipe processor is represented by a VCPU, guaranteeing
at least C units of execution time every T time units when
runnable. Pipe processors are associated with tasks bound
toMain VCPUs, or threaded interrupt handlers bound to I/O
VCPUs.
A tuned pipe guarantees data flowing from an input to an
output endpoint is processed according to specific service
requirements. These requirements apply end-to-end, through
a pipeline of one ormore tuned pipes. If the pipeline is lossless,
it ensures specific throughput and delay guarantees, whereas
if it is lossy, it guarantees a maximum fraction of lost data
while meeting delay bounds.
Boomerang maintains a local repository for each guest
OS (a.k.a., sandbox or machine partition), which stores in-
formation about available endpoints. The repository records
a globally unique identifier for each endpoint, in the form:
hostID:sandboxID:asID:epID. This distinguishes endpoints in
different host machines (by hostID) 3, sandboxes (by sand-
boxID), and address spaces (by asID). Access capabilities re-
strict which tuned pipes are able to connect to endpoints.
The rules controlling connectivity to endpoints are a topic
of ongoing research. They have implications for secure in-
formation flow analysis [8, 16, 55], which is outside the scope
of this paper. Notwithstanding, pipelines may be construc-
ted within a single address space, between address spaces
in the same machine partition, between different partitions
on the same host, and across different hosts.
When creating a tuned pipe, Boomerang automatically
calculates (i.e., tunes) the budget and period of the pipe VCPU
to ensure end-to-end guarantees are met. Tuned pipes are
created with a call to tpipe(), as follows:
tpipe_id_t tpipe(ep_t *inp[], int n_inp, ep_t *outp,
qos_t spec, tpipe_task_t func, void* arg);
3In this paper, we restrict communication within the same host machine.
4
The input endpoint of the new tuned pipe specifies an ar-
ray of pointers, inp, to endpoint types. This array identifies
the endpoint addresses of n_inp inputs to the tuned pipe,
along with the buffering semantics of each input, which will
be discussed in Section 3.1.1.
Data flowing into the tuned pipe is processed by a spe-
cific callback function (func), which sends its output to spe-
cific destinations connected to the output endpoint, identi-
fied by outp. The callback function takes an optional argu-
ment (arg), and runs in its own thread context. The thread
context defines a task, which is bound to a VCPU having an
automatically-generated budget, Ci , and period, Ti , for the
tuned pipe, tpipei . The budget and period are derived from
the quality-of-service (QoS) requirement (spec) for end-to-
end throughput and delay on data processing. This require-
ment must also satisfy the schedulability of all VCPUs on a
given physical CPU (PCPU), otherwise the tuned pipe is not
created. If a tuned pipe is successfully created, it is given a
unique ID within its guest OS.
tpipei requires its callback function to process data from
one or more input endpoints and produce output in one
quantum of size Ci , every period, Ti . Functions are selected
from a predefined repository of callbacks. Each callback has
a known worst-case execution time (WCET) based on pre-
profiled timing information to handle a maximum Ii inputs
and produce up to Oi outputs in one quantum. The actual
amount of processing in a quantum depends on the availab-
ility of data in input buffers, and how many outputs need to
be written.
Each function in the repository declares the allowable
buffering capabilities for its inputs and outputs. Any tuned
pipe connecting to another with a function that does not
match the allowed buffering capabilities is rejected.
3.1.1 POSIX Pipes versus Tuned Pipes
Similarities exist between a pair of tuned pipes and a single
POSIX pipe. The latter provides a sharedmemory buffer that
is accessible to a group of communicating threads via file
descriptors. The file descriptors describe the endpoint cap-
abilities, including whether the pipe is readable or writable.
A tuned pipe pair in Boomerang differ from a POSIX pipe
by capturing the timing requirements for data processing
and communication. They also define the buffering semantics
for I/O endpoints.
Figure 3(a) shows a two-stage pipeline with fully asyn-
chronous (RT_ASYNC) communication between tpipe1 and
tpipe2. In this case, Simpson’s Four Slot buffering scheme [38,
39] is used to allow the two pipe threads to execute inde-
pendently of each another. Four Slot communication guar-
antees freshness and integrity of data objects exchangedbetween
a producer and consumer, without the sender or receiver
ever having to block. Freshness guarantees the most recent
value of a data object is made available. This is important
in sensor data processing, where the latest sensor readings
Figure 3.A two-stage pipeline with (a) 4-slot asynchronous
buffering, and (b) semi-asynchronous ring buffering.
are more important than older, potentially stale values. In-
tegrity ensures a data object is not partially updated before
the previous object has been read in entirety.
In contrast, Figure 3(b) shows a two-stage pipeline with
semi-asynchronous (RT_FIFO) communication.This scheme
uses a classic ring buffer to pass data without loss between
the sender and receiver. However, the sender must block
when the buffer is full, and the receiver must blockwhen the
buffer is empty. This places a timing dependency on produ-
cers and consumers, which potentially violates end-to-end
timing guarantees unless data flow rates are managed cor-
rectly.
3.1.2 Device versus Task Pipes
Boomerang’sRTOS provides a pre-defined set of tuned pipes
for all devices involved in real-time I/O. A device pipe fea-
tures an IO VCPU for interrupt handling, and an optional
Main VCPU for endpoint buffermanagement of shared devices.
Sharing requires scatter-gather functions tomove data between
the device endpoint buffer and pipe-specific buffers of task
pipes. If a device is not shared, its handler directly accesses
the buffer of a specific task pipe.
The tpipe() call, described earlier, creates a task pipe. Un-
like a device pipe, there is no IO VCPU for interrupt hand-
ling. Task pipes form pipelines between device pipes that act
as the sources and sinks of input and output data, respect-
ively.
Figure 4. Example composition of a device and task pipe for
asynchronous I/O.
Figure 4 shows an example composition of a device and
task pipe for asynchronous (non-blocking) I/O communica-
tion. The device is assumed to be shared with other tasks. If
a task requires semi-asynchronous device communication
for blocking I/O, it would replace the four slot pipe buffer
with a ring buffer.
5
3.1.3 Pipeline Construction
Pipelines of tuned pipes are constructed in the order in which
data flows, from input to output. A tuned pipe is responsible
for the creation of all buffers that connect to its input end-
point. It also declares its output endpoint, which includes
a count of the number of outputs it handles. A pipeline is
incomplete until all Ii inputs and Oi outputs of each tpipei
are connected.
The output endpoint of each task pipe has a connection to
a default device pipe, which could be a null device. A system
call interface allows this output endpoint to be redirected to
one or more different device pipes.
Once fully connected, the system activates the pipeline
by allowing each tpipe task to be scheduled for execution.
Those tasks that execute in the RTOS are runnable when
they have available budgets on their corresponding VCPUs.
Tuned pipe tasks that execute in Linux are runnable when
they have available budgets in their SCHED_DEADLINE schedul-
ing class. Linux’s SCHED_DEADLINE scheduling class uses a
Constant Bandwidth Server [2] to limit the maximum CPU
bandwidth consumed by a task within a specific period. The
end of the period is used to define the task deadline, and all
tasks are scheduled earliest deadline first. However, inter-
rupt handlers are not managed in this scheme.
Boomerang runs our in-house RTOS in one sandbox, and
Linux in another sandbox on the same physical machine. A
Linux kernel module maps a secure shared memory region
by calling into the hypervisor. The hypervisor uses EPTs to
map machine physical memory into each sandbox so they
are able to communicate.
Each sandbox is equipped with kernel services that man-
age a local repository of endpoints and tuned pipes. Com-
munication services allow queries to a remote sandbox, to
discover endpoints and to connect or disconnect from tuned
pipes. Mailbox channels are established by Boomerang to
enable OSes in different sandboxes to send remote OS re-
quests. Access policies determine whether address spaces in
the local or remote sandbox are able to connect to endpoints
of existing tuned pipes.
Boomerang’s RTOS provides a remote shell to Linux through
inter-sandbox shared memory. Linux uses a kernel module
to allow user-space application programswith root privilege
to execute shell commands on the RTOS. A shell interface al-
lows pipelines of tuned pipes to be constructed. The RTOS is
able to query endpoints and tuned pipes that exist in Linux,
and issue requests to connect to them via tpipe() calls.
After the construction of the pipeline, the RTOS runs an
end-to-end throughput and delay analysis. If the end-to-end
requirements are met for the pipeline, the transmission of
data is allowed to begin from the RTOS. Tuned pipe func-
tions synchronize their start and end of operation life-cycle
using Start-Of-Task and End-Of-Task packets on their input
endpoints.
The following example illustrates the specification of a
pipeline:
[∗](A | B),C | D | E, F [e2e_tput | loss_rate, e2e_delay]
The resultant pipeline is shown in Figure 5. Boomerang’s
repository of tuned pipe functions requires thatA andC con-
nect to a device output endpoint for reading, while E and F
connect to a device input endpoint for writing.
Figure 5. An example pipeline.
Boomerangdefaults to non-blocking tuned pipe semantics,
where data freshness is more important than lossless com-
munication. Figure 5 shows four-slot buffering of all pipeline
stages. If lossless communication is required, the entire pipeline
specification is preceded by an asterisk. This pipeline would
then use FIFO buffers between each pair of tuned pipes.
With four-slot buffering, the entire pipeline has an op-
tional end-to-end service specification in terms of tolerable
loss_rate and e2e_delay. With FIFO buffering, the pipeline
is specifiedwith an optional end-to-end throughput,e2e_tput ,
and delay. The throughput is measured as theminimumnum-
ber of data objects per unit time exiting a final tuned pipe,
while the delay is measured in microseconds. Each data ob-
ject represents a message, which is the size of one slot of
either a four-slot or FIFO buffer.
If the QoS specification is omitted, then the pipeline de-
faults to best effort. In such case, the VCPUs of each tuned
pipe revert to their default values. If the pipeline overloads
the PCPUs to which it is assigned, leading to an infeasible
schedule, its VCPU periods are repeatedly extended until
the pipeline is schedulable.
The shell interpreter allows parallel sections of a pipeline
to be defined by comma-separated lists of tuned pipes. Here,
the pipeline section A | B runs parallel with C . This could
be representative of two separate input sensor streams com-
ing from two different devices. Parentheses ensure correct
grouping of pipeline sequences, while two tuned pipes are
connected using the shell vertical bar symbol (|).
In the example, the outputs of B andC feed into the single
tuned pipe, D. Similarly, the output of D is split across E
and F . D might represent a sensor fusion and control task,
while E and F might be specific actuator tasks that output
their data to different devices. In an automotive system, for
example, E and F might send their outputs to two different
CAN buses, managed by device pipes.
Thee2e_delay constraint applies to the longest path through
the pipeline, while the e2e_tput applies to whichever final
task pipe has the lowest rate of output. In the figure, whichever
6
of E and F has the lowest output rate would dictate the end-
to-end throughput.
As a four-slot buffered pipeline allows each tuned pipe to
read and process whatever data sits in its input buffers, it is
possible that new data has overwritten old data before the
consumer runs. This happens if the producer has an arrival
rate, λ = 1/Tp , greater than the consumer’s service rate, µ =
1/Tc . Here, it is assumed thatTp andTc are set to ensure one
message transfer every corresponding period, regardless of
whether it is a new message or not.
3.1.4 End-to-end QoS Guarantees
Given a pipeline of tuned pipes and buffers, Boomerang runs
a constraint solver to determine Ci and Ti for each tpipei .
The function executed by tpipei is assumed to process at
least one of its Ii inputs and generate one of its Oi outputs
every period, Ti . Essentially, one or more processed data
messages propagate through a tuned pipe within Ci execu-
tion time. Boomerang assumes that Ci is derived by pre-
profiling theWCET of the corresponding task function. This
WCET is then stored in the local repository, along with the
set of inputs and outputs used by the function.
For a pipeline to successfully meet its end-to-end timing
requirements, Boomerang must still determine each period,
Ti |Ti>Ci , and possibly scale each service timeCi to forward
more than one message at a time. It follows that a FIFO buf-
fered pipeline successfully meets its end-to-end timing re-
quirements if:
1.
∑
i ∈l Ti≤e2e_delay, for the longest path l ,
2. min∀i {
mi ·Ci
Ti
}≥e2e_tput , wheremi≥1 messages are
transferred by tpipei every Ci ,
3. all FIFO buffers are sized to ensure no additional block-
ing delays of tasks, and
4. all task scheduling constraints are satisfied on their
respective PCPUs.
Similarly, a pipeline with four-slot bufferingmeets its end-
to-end requirements if:
1.
∑
i ∈l Ti≤e2e_delay, for the longest path l ,
2. max{1 −
Tp
Tc
}≤loss_rate , for allTp≤Tc , and
3. all task scheduling constraints are satisfied on their
respective PCPUs.
The end-to-end delay represents the time for a message to
traverse the longest path through a pipeline. The final mes-
sage output from the pipeline is a transformation of data
propagated through each tuned pipe.
Theworst-case end-to-end delay is the sum of all the peri-
ods of the tuned pipes in the longest path, plus any block-
ing delays. The blocking delays are zero with asynchron-
ous communication as each tuned pipe processes its most
recent data, regardless of it being updated. Similarly, block-
ing delays are avoided with FIFO-based communication if
each buffer is never empty or totally full.
It follows that each tuned pipe propagates amessage after
Ci worst-case execution time. However, if data arrives at the
inputs to a tuned pipe when it has just depleted its budget, it
must waitTi−Ci before the budget is replenished. If the next
tuned pipe in a pipeline is not synchronized to start exactly
when the previous tuned pipe forwards its data there could
be an additional delay ofTi −Ci on top of Ci to process the
data in tpipei .
To see this more clearly, consider a system ofT tasks each
with a service time of 1 time unit every T . Suppose two of
these tasks are associated with tpipe1 and tpipe2. Input data
Din to tpipe1 is processed and forwarded to tpipe2, which
producesDout . These two tuned pipes form a pipeline, while
all other tasks compete for execution on the same PCPU. Us-
ing either rate monotonic or earliest deadline first schedul-
ing [24] yields the same schedule in this case: neglecting
scheduling overheads, each task has the same priority. A
possible schedule is shown in Figure 6.
Figure 6.Worst-case end-to-end delay:
Din→tpipe1→tpipe2→Dout .
Theworst-case end-to-end delay is when each of theT −2
tasks other than those for tpipe1 and tpipe2 run immediately
after the data, Din , has arrived. Then, tpipe2 executes and
processes old input data before tpipe1 is able to read Din .
Consequently, tpipe1 does not process Din and forward the
output to tpipe2 untilT time after the data first arrived. Sim-
ilarly, tpipe2 is not able to run again until 2T − 2, when
it finally reads Din . This is because the scheduler will not
provide it with a budget replenishment until one period after
it last executed. The total end-to-end delay between Dout
and Din is therefore 2T − 1. For large T this approaches a
worst-case delay of 2T . Extending this to more than two
tasks in a pipeline leads to the worst-case end-to-end delay
being the sum of the corresponding tuned pipe periods.
The end-to-end throughput of a path through a FIFO buf-
fered pipeline is limited by the minimum output rate of any
one tuned pipe in that path. A tuned pipe’s output rate is
how many messages it is able to forward in its period. As
FIFO buffering allows tpipei to forwardmi≥1 messages per
period, the minimum value of mi ·Ci
Ti
≥e2e_tput for all i is a
lower-bound on overall throughput.
For any pair of tuned pipes connected via FIFO buffers, it
is essential that blocking delays are factored into the end-to-
end service guarantees. Boomerang tries to avoid blocking
on message exchanges by matching the arrival and depar-
ture rates of messages passed through shared FIFO buffers.
Suppose a producing and consuming pair of tuned pipes
have budgets Cp and Cc , respectively. Given Cp = Cin is
sufficient to produce one message in Tp , and Cc = Cout is
7
sufficient to consume one message in Tc , Boomerang starts
by setting Tp = Tc = ∆, where ∆·n = e2e_delay, and n is
the number of tuned pipes in the longest path. This ensures
the producer and consumer are rate-matched, to prevent the
FIFO buffer between them either filling to capacity, or com-
pletely emptying.
Rate-matching is applied to all tuned pipes in the pipeline.
If the pipeline cannot feasibly be scheduled on its PCPUs,
each tuned pipe period is scaled by a factor α , where α > 1.
This is repeated until all tuned pipes are schedulable, but
leads to a violation of the end-to-end latency requirement.
To reduce end-to-end latency, Boomerang adjusts tuned
pipe periods, starting with the inputs to the pipeline. For
each tuned pipe pair, Tp is repeatedly halved and Cc is sim-
ilarly doubled, ensuring that Tp>Cp , Tc>Cc and all VCPUs
are schedulable when possible. The doubling ofCc enables it
to process multiple messages,mc , in one budget cycle.Tp is
reduced until either the entire pipeline meets its end-to-end
delay requirement or it is set as low as feasibly possible. If
∑
i ∈l Ti≤e2e_delay for longest path l , the algorithms stops,
or else it moves onto the next stage in the path, and repeats
the above procedure.
If all stages of the pipeline have been processed from in-
put to output, the algorithm revisits each consumer whose
budget is set to process multiple messages in one period.
For each consumer, both Cc and Tc are halved, as long as
Cc is no smaller than the time to process one message. If
the path’s e2e_delay is satisfied, or tuned pipe periods and
budgets cannot be reduced further, the algorithm stops. At
this point each Cp = mp ·Cin and each Cc = mc ·Cout , for
mp ,mc≥1.
If a feasible schedule for the pipeline is found, each FIFO
buffer is set to have enough space for 2×⌈mc ·Tcmp ·Tp ⌉ messages
output from the producer. The factor of two accounts for
the potential phase-shifted processing of messages by the
producer and consumer, ensuring that the buffer is never
empty or full, but instead operates with approximately half
its maximum occupancy.
For four-slot communication, if the consumer has a smal-
ler period than a producer at any stage in the pipeline, then
the consumer will always see the most recent data. Given
that four-slot communication restricts each tuned pipe to
read, process and write one message every period, it is im-
possible for a pipeline to lose any data if all consumer peri-
ods are smaller than their corresponding producer periods.
However, if a consumer has a larger period than its producer,
such thatTc > Tp , then the producer may overwrite data be-
fore the consumer sees the previous message. It follows that
the loss-rate through a four-slot pipeline is limited to the
maximum value of 1 −
Tp
Tc
of any stage in the pipeline. This
is an importantmetric for sensor data processing, where the
fraction of lost data must be constrained.
Irrespective of four-slot or FIFO-based communication,
all VCPUs serving all tuned pipes in a pipeline must sat-
isfy the system scheduling requirements. For n tuned pipes
scheduled using rate-monotonic scheduling, the scheduling
constraint is satisfied if
∑n
i=1
Ci
Ti
≤n·(21/n−1). If earliest-deadline
first scheduling is used, the scheduling constraint is satisfied
if
∑n
i=1
Ci
Ti
≤1 on a single PCPU. Boomerang applies these
constraints, including utilization bounds on IO VCPUs used
by device pipes, to ensure pipeline schedulability. This holds
for pipelines encompassing our RTOS and Linux SCHED_DEADLINE
tasks.
4 Evaluation
We evaluated Boomerang on an Up Squared Single-board
Computer (SBC), featuring an Intel CeleronN3350 processor
with a speed up to 2.4 GHz. We connected a five-channel
Kvaser USBCan Pro 5xHS CAN bus interface via USB 3.0.
This setup emulated an automotive system that reads sensor
inputs and writes actuator outputs on a CAN bus.
Traffic on channels 1-3 (CAN1-3) was produced byWood-
ward MotoHawk ECM5634-70 ECUs, as used in chassis and
powertrain applications in a real vehicle. Each of these chan-
nels produced data at 20%, 30% and 40% of their 500kbps
bandwidths, respectively. Channels 4 and 5 (CAN4-5) were
replacedwithArduinoUNOs [4] equippedwith CAN shields,
to collect performance data.
Two separate pipelines were constructed for CAN4 and
CAN5, with thread budgets and periods shown in Table 1.
These pipelines shared three device I/O threads: mhydra_rx
and mhydra_tx for Kvaser USBCan scatter-gather function-
ality, and aUSB xHCI bottomhalf handler (USB_BH).Pipeline
1 consists of three task pipes: CanRead,MLProcess& CanWrite.
These read CAN data, perform machine learning, and write
CAN data, respectively. Pipeline 2 consists of two task pipes:
RTFusion and RTControl, for sensor data fusion and con-
trol, respectively.
Thread Budget (ms) Period (ms) Utilization (%)
Pipeline 1 (CAN4)
USB_BH 0.1 1 10
mhydra_rx 0.2 1 20
CanRead 0.1 2 5
MLProcess 0.2 2 10
CanWrite 0.1 2 5
mhydra_tx 0.2 1 20
USB_BH 0.1 1 10
Pipeline 2 (CAN5)
USB_BH 0.1 1 10
mhydra_rx 0.2 1 20
RTFusion 0.1 2 5
RTControl 0.1 2 5
mhydra_tx 0.2 1 20
USB_BH 0.1 1 10
Table 1. Pipeline details.
8
Given the above setup, we comparedBoomerang to a tuned
pipe implementation on a PREEMPT_RT-patchedYocto 4.9.99
SMP Linux system. The Boomerang partitioning hypervisor
ran our RTOS in one sandbox, and Yocto Linux in another.
In all cases xHCI device interrupts were mapped to Core 0,
while all other device interrupts were redirected to Core 1.
Table 2 shows the assignment of threads to cores.
Core 0 Core 1
CanRead, CanWrite, RTFusion, MLProcess, background tasks,
RTControl, CAN1-3, USB_BH, Other Interrupts
mhydra_rx, mhydra_tx
Table 2. Thread assignments to cores.
Background tasks running on Core 1 generated disk and
network I/O activity. These included five wget tasks that
each retrieved a copy of a 1.9GB binary image over the In-
ternet. Five additional tasks performed file copies of a local
version of the binary image to different directories. A peri-
odic task additionally consumed 20% of the CPU time to
bring the total average utilization across all tasks on Core
1 to 67%.
Linux SMP: All threads were assigned budgets and peri-
ods within the SCHED_DEADLINE scheduling class except the
USB_BH bottomhalf handler.Withoutmodifications to Linux,
bottom half handlers are not guaranteed CPU reservations.
Boomerang:TheBoomerangpartitioning hypervisor ran
our RTOS on Core 0 and Yocto Linux on Core 1. The RTOS
has its own Real-time USB stack and mhydra driver for the
Kvaser USBCan interface. The MLProcess ran on Linux and
represented a machine learning task using capabilities un-
available in the RTOS. Pipeline 1 extended from the RTOS
into Linux via a secure shared memory channel using exten-
ded page table mappings.
All experiments were run for 30s over 10 runs each, al-
though end-to-end delay results are displayed for the first
200 packets.
4.1 Asynchronous Communication
Asynchronous communication using four-slot buffering has
the potential to suffer information loss. We constructed two
experiments with expected pipeline losses of 0% loss and
20%. In both cases, packets for Pipelines 1 and 2 arrived
and departed on CAN4 and CAN5 channels, respectively.
We measured the round-trip time taken by each packet to
be read from and written to each of these channels. From
Table 2, the expected end-to-end delay for Pipeline 1 was
10ms, and for Pipeline 2 was 8ms.
4.1.1 End-to-end Delay
Figures 7 and 8 show the end-to-end delay for Pipelines 1
and 2, when there is no expected loss. The horizontal lines
represent the expected latency as calculated above. The end-
to-end latency for Boomerang is always less than the theor-
etically calculated bound. However, Linux SMP frequently
fails to meet the end-to-end delay requirements. The main
reason is the priority mismatch between bottom-half hand-
lers and the task awaiting I/O operations. Our RTOS ensures
that bottom-half handlers run at the correct priority with
a specific CPU reservation. Therefore, Boomerang achieves
temporal isolation between tasks and interrupts. As Linux
is unable to achieve the same level of timing guarantees,
even when tasks are guaranteed CPU reservations, there are
some lost packets as observed by the missing data points in
Figures 7 and 8. Table 5 summarizes the end-to-end latency
results. It also shows that Linux suffers packet losses of 28%
and 56% for Pipelines 1 and 2, respectively.
Figure 9 shows the cumulative interrupts received by each
core with Boomerang and Linux SMP over the duration of
200 packet transfers. The cumulative numbers of interrupts
are 20623 and 16693, respectively, in Boomerang and Linux
SMP. Linux has fewer overall interrupts but more on Core
0. We conjecture this is caused by local APIC timer inter-
rupts, which are influenced by the budget management of
SCHED_DEADLINE tasks. However, this requires further
investigation. Notwithstanding, Linux SMP fails tomeet end-
to-end delay guarantees because of its unpredictability in
interrupt handling.
4.1.2 Loss
Sensor data processing is often able to tolerate a specific loss
rate. We increased the periods of certain pipeline tasks, as
shown in Table 3, to incur a tolerable loss rate up to 20%. The
expected latency for Pipeline 1 is now changed from 10ms to
11ms due to increased periods of MLProcess and CanWrite.
Similarly, the expected latency of Pipeline 2 is changed from
8ms to 8.5ms due to the increased periodicity of RTControl.
Task Pipeline Loss (%) Budget (ms) Period (ms)
MLProcess
0 0.2 2
20 0.2 2.5
CanWrite
0 0.1 2
20 0.1 2.5
RTControl
0 0.1 2
20 0.1 2.5
Table 3. Difference in periods for different loss.
Figures 10 and Figure 11 show the end-to-end delays for
each pipeline. Boomerang keeps the loss-rate within 20%, as
observed in Table 6. However, Linux SMP misses 55% and
50% of the 200 packets, respectively, for Pipelines 1 and 2.
4.2 Synchronous Communication
We repeated experiments with Pipelines 1 and 2 using FIFO-
buffering. The constraint solver described in Section 3.1.4 is
used to establish correct budgets, periods and buffer sizes.
The finally calculated budget and periods are presented in
Table 4. Buffer sizes are 4, 2 and 4 messages, respectively
betweenCanRead andMLProcess,MLProcess andCanWrite,
and RTFusion and RTControl.
9
0 50 100 150 200
Packet ID
0
10
20
30
40
50
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 7. Pipeline 1 - no expected loss.
0 50 100 150 200
Packet ID
0
10
20
30
40
50
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 8. Pipeline 2 - no expected loss. Figure 9. Interrupts - no expected loss.
0 50 100 150 200
Packet ID
0
10
20
30
40
50
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 10. Pipeline 1 - 20% accepted
loss.
0 50 100 150 200
Packet ID
0
10
20
30
40
50
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 11. Pipeline 2 - 20% accepted
loss.
Figure 12. IRQs - 20% accepted loss.
0 50 100 150 200
Packet ID
0
20
40
60
80
100
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 13. Pipeline 1 - FIFO.
0 50 100 150 200
Packet ID
0
20
40
60
80
100
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang
Linux SMP
Delay Bound
Figure 14. Pipeline 2 - FIFO.
0 50 100 150 200
Packet ID
0
5
10
15
20
25
En
d-
to
-e
nd
 D
el
ay
 (m
s)
Boomerang CAN4 Path
Boomerang CAN5 Path
Delay Bound CAN4 Path
Delay Bound CAN5 Path
Figure 15.MIMO Pipeline.
Task Budget (ms) Period (ms) Utilization (%)
Pipeline 1 (CAN4)
CanRead 0.1 2 5
MLProcess 0.2 4 5
CanWrite 0.2 4 5
Pipeline 2 (CAN5)
RTFusion 0.1 2 5
RTControl 0.125 2.5 5
Table 4. Synchronous pipeline (Common threads not
shown).
4.2.1 Throughput and Delay
The expected end-to-end delay of Pipeline 1 is increased to
14ms because of the increased periods of the tpipe threads.
Figures 13 and 14 show the revised end-to-end delays. Meas-
urements are summarized in Table 7. FIFO buffering does
not improve the latency for Linux SMP because of previ-
ouslymentioned issues with interrupts. However, it improves
the packet loss rate for Linux SMP, as a buffer holds mes-
sages even if a tpipe thread is interrupted.
Table 8 shows the throughput with Boomerang and Linux
SMP are similar, although the standard deviation is smaller
with Boomerang. Arrival rates (λ) from CAN4 and CAN5
are shown for each pipeline.
4.3 MIMO Pipelines
Boomerang supports the construction of pipelines withmul-
tiple inputs and outputs (MIMO). We constructed a pipeline
based on Figure 5, representative of automotive tasks. Using
10
System Min
(ms)
Max
(ms)
Avg
(ms)
Loss
(%)
Pipeline 1 (Delay bound = 10 ms)
Boomerang 0.79 9.57 3.27 0
Linux SMP 2.1 31.5 11.70 28
Pipeline 2 (Delay bound = 8 ms)
Boomerang 0.92 7.97 4.35 0
Linux SMP 1.8 24.77 6.79 56
Table 5. Latency - no expected loss.
System Min
(ms)
Max
(ms)
Avg
(ms)
Loss
(%)
Pipeline 1 (Delay bound = 11 ms)
Boomerang 0.64 10.96 4.87 3.5
Linux SMP 2.24 98.21 14.46 55
Pipeline 2 (Delay bound = 8.5 ms)
Boomerang 0.64 2.38 1.07 0
Linux SMP 3.49 96.02 13.91 50
Table 6. Latency - 20% accepted loss.
System Min
(ms)
Max
(ms)
Avg
(ms)
Loss
(%)
Pipeline 1 (Delay bound = 14 ms)
Boomerang 0.77 11.23 4.25 0
Linux SMP 0.96 65.24 33.10 0.5
Pipeline 2 (Delay bound = 8.5 ms)
Boomerang 0.70 5.03 1.56 0
Linux SMP 0.70 38.46 12.84 0
Table 7. Latency - FIFO buffering.
System Min
(msg/s)
Max
(msg/s)
Avg
(msg/s)
stddev
Pipeline 1 (λ=100 msgs/s)
Boomerang 99 101 99.77 0.63
Linux SMP 86 105 98.1 4.39
Pipeline 2 (λ=125 msgs/s)
Boomerang 123 126 124.77 0.73
Linux SMP 120 126 123.17 1.39
Table 8. Synchronous throughput.
Min
(ms)
Max
(ms)
Avg
(ms)
stddev Loss
(%)
Pipeline 1 (Delay bound = 10 ms)
0.86 9.63 2.56 1.32 0
Pipeline 2 (Delay bound = 8 ms)
0.70 5.00 2.11 0.86 0
Table 9.MIMO Pipeline latency.
Min
(msg/s)
Max
(msg/s)
Avg
(msg/s)
stddev
Pipeline 1 (λ=100 msgs/s)
99 101 99.74 0.58
Pipeline 2 (λ=125 msgs/s)
124 126 124.74 0.58
Table 10.MIMO Pipeline throughput.
the labeling in that figure, tuned pipesA−F have the follow-
ing (budget, period) pairs in milliseconds:A (0.1,1),B (0.2, 2),
C (0.1, 1),D (0.4, 2),E (0.1, 1) and F (0.1, 1).A reads input from
CAN4 while C reads input from CAN5. Similarly, E writes
back to CAN4, and F writes to CAN5. Tuned pipeD operates
in Linux while all others operate in the RTOS.
Tables 9 and 10 summarize the throughput and latencies,
while Figure 15 shows the end-to-end delay. Even with mul-
tiple device inputs and outputs, both paths through CAN4
and CAN5 transfer data within their expected bounds.
4.4 Discussion
Boomerang supports the construction of QoS-constrained
task pipelines that span an RTOS and a legacy system. Each
tuned pipe executes on a bandwidth-preserving VCPU, to
ensure end-to-end timing guarantees. Interrupt handlers are
executed with time-budgeted IO VCPUs, whereas this is not
the case in Linux. The SCHED_DEADLINE scheduling class
ensures timely execution of tasks in Linux but requires in-
terrupt handlers to be demoted to a lower priority.
The version of Linux used in Boomerang is the same as
that used in all standalone experiments labelled Linux SMP.
In all comparisons, Linux includes the PREEMPT_RT patch
for improved real-time responsiveness. Additionally, SCHED-
_DEADLINE provides CPU reservations, which are not found
in many simpler RTOSes.
Only if tuned pipes are implemented in an OS that en-
sures temporal isolation and scheduling of interrupts is it
possible to ensure end-to-end timing guarantees on critical
I/O control paths. Device I/O still needs to be conformant
with a task pipeline’s end-to-end requirements. That is, data
must arrive at an input device and be able to depart accord-
ing to pipeline throughput requirements. In the experiments,
we ensure all CAN interfaces provide appropriate arrival
and departure rates through device pipes to meet end-to-
end requirements.
Thiswork has thus far not considered shared caches, DRAM
and memory buses as potential causes of interference and
timing unpredictability. Page coloring [22], andmemoryband-
width budgets [52, 54] have been studied in past work. We
consider these techniques complementary to the VCPU schedul-
ing used with tuned pipes.
It may seem counter-intuitive to build task pipelines that
communicate with a lower criticality, and potentially less
secure system in a separate guest domain. However, we en-
vision this being the case for systems that wish to lever-
age pre-existing functionality of a legacy OS. Automotive
systems are considering the integration of mixed-criticality
tasks and services [31]. Future work will investigate secure
information flow rules to prevent access to data by unau-
thorized software components.
5 Related Work
5.1 Operating Systems
Several systems have attempted to provide temporal isola-
tion between tasks. Mercer et al implemented processor ca-
pacity reserves in the Mach micro-kernel [28]. As with our
RTOSVCPUs, a processor capacity reserve provides a budget
and a period for each task. Once a task depletes its budget
it is unable to continue execution until its budget is replen-
ished.
Steere et al used a reservation-based scheme along with a
feedback-based controller to adjust CPU allocations among
tasks [41]. The idea is somewhat similar to Boomerang’s
tuned pipes. However, it does not integrate the scheduling
of interrupt handlers with task execution.
11
Linux supports reservation-based scheduling using the
PREEMPT_RT patch [33] and SCHED_DEADLINE [23] task ex-
ecution. This allows tasks to specify CPU reservations that
aremanaged by a Constant Bandwidth Server [2]. LITMUSRT
[11] is a Linux-based system that supports configurable real-
time schedulers, including those with reservations. Multiple
RTOSes attempt to provide temporal isolation to tasks [7, 20,
47]. However, these systems do not properly handle events
such as interrupts, whichmay interferewith the timing guar-
antees to the real-time tasks.
RT-Linux virtualizes interrupts for non-time-critical parts
of the system, thereby ensuring real-time service to time-
critical tasks [53]. Similar approaches have been adopted
by Wind River Linux [49], the Real-time Application Inter-
face (RTAI) for Linux [14], Xenomai [50], and NASA’s CFS
Linux [30]. Zhang et al integrated interrupt handling with
task scheduling in Linux. A bottom half handler for a device
interrupt inherited the highest priority of a blocked process
waiting on the device [56]. However, interrupt handling was
not limited to a CPU reservation, meaning a burst of inter-
rupts could still interfere with tasks.
Many real-time OSes such as eCOS [15], RTEMS [12], and
FreeRTOS [36] provide a single address spacemulti-threaded
solution for multicore machines. However, this is insuffi-
cient for many safety-critical domains, requiring both tem-
poral and spatial isolation between components of differ-
ent criticality levels. The Quest RTOS [13] not only sup-
ports multiple address spaces, but also provides a Priority-
Inherited Bandwidth-preserving Server approach to serve
the interrupts in a timely manner along with CPU-bound
tasks. While Quest provides timing isolation for both I/O-
and CPU-bound tasks, it does not support the richness of
services found in a legacy system such as Linux.
5.2 Hypervisors
Several hypervisors attempt to support both temporal and
spatial isolation of real-time and non-real-time guests [26,
27, 44, 46]. RT-Xen [51] adds real-time scheduling support
to the Xen [6] hypervisor. However, all these hypervisors
multiplex their guests on a shared physical machine. They
virtualize interrupts, and perform additional resource man-
agement operations that conflict with the policies within
each guest.
Partitioning hypervisors allow guests to directly manage
subsets of machine resources. The hypervisor is removed
from I/O and resource management once each guest is gran-
ted access to its machine resources. The Quest-V [48] separ-
ation kernel [37] uses a partitioning hypervisor to support
the co-existence of the Quest RTOS and one or more general
purpose OSes. Each guest OS runs simultaneously on sep-
arate cores in a multicore machine, with device interrupts
delivered directly to the guest that owns the device.
PikeOS [42] and Muen [10] are separation kernels that
support multiple guest OSes. However, unlike Quest-V, in-
terrupts are trapped into the hypervisor, and subsequently
delivered to the guest OSes. Jailhouse [35] and ACRN [3]
have similarities to Quest-V. Jailhouse uses Linux to boot-
strap a system that provides cells for system inmates. These
are essentially restricted hardware subsets assigned to guests.
However, Jailhouse does not currently provide an integrated
approach for guests to communicate in real-time via shared
memory channels. ACRN’s philosophy is to allow a service
OS to manage machine resources on behalf of other safety-
critical OSes. However, as with Jailhouse, there is currently
no way to communicate between guests with end-to-end
timing guarantees. Boomerang’s partitioning hypervisor is
modeled on the approach taken by Quest-V, but provides
support for composable tuned pipes spanningmultiple guests.
5.3 Predictable Communication
Boomerang’s support for composable tuned pipes is greatly
inspired by the Scout operating system [29]. In Scout, paths
through a sequence of services are treated as first-class schedulable
entities. The entire processing along a path is run in the con-
text of a single thread that is scheduled according to the bot-
tleneck queue. Boomerang, in contrast, schedules each com-
ponent of a pipeline with a separate time-budgeted thread.
This allows paths to be interleaved and executed on differ-
ent PCPUs, spanning different sandboxes.
RAD-FLOWS [32] provided a design framework for pre-
dictable data communication. Thework includes several designs
and proofs for predictable inter-task communication. How-
ever, RAD-FLOWS does not seem to have been applied to a
working system.
Golchin et al developed a system abstraction for predict-
able data delivery between USB devices and a real-time pro-
cess [17]. Boomerang provides support for real-time I/O to
span multiple tasks in a partitioning hypervisor. We envi-
sion Boomerang to be useful in automotive systems, data
streaming applications [1] and systems based on publisher-
subscriber models, such as ROS [34].
6 Conclusions and Future Work
This paper presents Boomerang,which combines time-critical
tasks with legacy services. Boomerang’s partitioning hyper-
visor connects a built-in guest RTOS with a legacy system
such as Linux, via secure and predictable shared memory
communication channels. The legacy OS benefits from tim-
ing predictable services that are isolated from less critical
code. At the same time, the RTOS benefits from the pre-
existing services, including libraries and lower criticality device
drivers of a legacy non-real-time system.
Boomerang supports composable tuned pipes, for real-
time task pipelines that require guaranteed end-to-end ser-
vice on data transfers. The system provides real-time task
pipelines with complementary legacy services that are tim-
ing predictable using CPU reservations.
12
Experiments show that real-time task pipelines guaran-
tee end-to-end throughput, delay and loss requirements in
Boomerang.This is the case for all pipelines containedwithin
the RTOS and which span both the RTOS and Linux. In con-
trast, task pipelines in Linux are not able to ensure end-to-
end service constraints, even when using CPU reservations.
This is because of task interference by interrupts from I/O
devices. The interrupt handlers need to be assigned suitable
CPU reservations at appropriate priorities that match the
pipelined tasks they serve. Alternatively, if I/O processing
is assigned to a dedicated core, it reduces system utilization.
Future work will extend Boomerang’s composable tuned
pipes to span different physicalmachines.We see a program-
ming model for real-time pipes useful in data flowmachines
and stream processing applications, such as those in neur-
omorphic computing.
NB: The source code for Boomerang is available upon re-
quest.
References
[1] Daniel Abadi, Donald Carney, Ugur Cetintemel, Mitch Cherniack,
Christian Convey, C Erwin, Eduardo Galvez, M Hatoun, Anurag Mas-
key, Alex Rasin, et al. 2003. Aurora: A Data Stream Management Sys-
tem. In SIGMOD Conference. Citeseer, 666.
[2] Luca Abeni and Giorgio Buttazzo. 1998. Integrating Multimedia Ap-
plications in Hard Real-Time Systems. In Proceedings of the 19th IEEE
Real-time Systems Symposium. 4–13.
[3] Project ACRN. 2019. https://projectacrn.org/.
[4] Arduino Homepage. Last Accessed: April-2019. http://arduino.cc.
[5] AUTOSAR. Last Accessed: 2019. AUTomotive Open System ARchi-
tecture – http://www.autosar.org.
[6] Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris,
Alex Ho, Rolf Neugebauer, Ian Pratt, and AndrewWarfield. 2003. Xen
and theArt of Virtualization. InACMSIGOPS operating systems review,
Vol. 37. ACM, 164–177.
[7] DL Bayer and Heinz Lycklama. 1975. MERT-A Multi-environment
Real-time Operating System. In ACM SIGOPS Operating Systems Re-
view, Vol. 9. ACM, 33–42.
[8] D. E. Bell and L. J. LaPadula. 1976. Secure Computer System: Unified
Exposition and Multics Interpretation. Technical Report ESD-TR-75-
306. Mitre Corporation, Bedford, MA.
[9] Roman Obermaisser Bernhard Leiner, Martin Schlager and Bernhard
Huber. 2007. A Comparison of Partitioning Operating Systems for
Integrated Systems. In Proceedings of the 26th International Conference
on Computer Safety, Reliability and Security (SAFECOMP). Nuremberg,
Germany.
[10] Reto Buerki and Adrian-Ken Rueegsegger. 2013. Muen - An x86/64
Separation Kernel for High Assurance. University of Applied Sciences
Rapperswil (HSR), Tech. Rep (2013).
[11] John M Calandrino, Hennadiy Leontyev, Aaron Block, UmaMa-
heswari C Devi, and James H Anderson. 2006. LitmusRT : A Testbed
for Empirically Comparing Real-time Multiprocessor Schedulers. In
2006 27th IEEE International Real-Time Systems Symposium (RTSS’06).
IEEE, 111–126.
[12] OAR Corporation. Last Release: 2016.
RTEMS. https://www.rtems.org/.
[13] MatthewDanish, Ye Li, and RichardWest. 2011. Virtual-CPU Schedul-
ing in the Quest Operating System. In 2011 17th IEEE Real-Time and
Embedded Technology and Applications Symposium. IEEE, 169–179.
[14] Lorenzo Dozio and PaoloMantegazza. 2003. Linux Real Time Applica-
tion Interface (RTAI) in Low Cost High Performance Motion Control.
Motion Control 2003, 1 (2003), 1–15.
[15] eCos. 2019. Embedded Configurable Operating System.
http://ecos.sourceware.org/.
[16] Petros Efstathopoulos, Maxwell Krohn, Steve VanDeBogart, Cliff Frey,
David Ziegler, Eddie Kohler, David Mazières, Frans Kaashoek, and
Robert Morris. 2005. Labels and Event Processes in the Asbestos Op-
erating System. In SOSP ’05: Proceedings of the twentieth ACM sym-
posium on Operating systems principles. ACM Press, New York, NY,
USA, 17–30.
[17] A. Golchin, Z. Cheng, and R. West. 2018. Tuned Pipes: End-to-End
Throughput and Delay Guarantees for USB Devices. In Proceedings of
the 39th IEEE Real-Time Systems Symposium (RTSS). 196 – 207.
[18] Arne Hamann, Dakshina Dasari, Simon Kramer, Michael Pressler, and
Falk Wurst. 2017. Communication Centric Design in Complex Auto-
motive Embedded Systems. In Proceedings of the 29th Euromicro Con-
ference on Real-Time Systems. Dagstuhl, Germany.
[19] ISO. 2011. ISO 26262-3: Road vehicles - Functional safety - Part 3:
Concept phase .
[20] Jean J Labrosse. 2002. MicroC/OS-II: The Real Time Kernel. CRC Press.
[21] John Lehoczky, Lui Sha, and Ye Ding. 1989. The Rate Monotonic
Scheduling Algorithm: Exact Characterization and Average Case Be-
havior. In Proceedings of the IEEE Real-Time Systems Symposium
(RTSS).
[22] Jochen Liedtke, Hermann Härtig, and Michael Hohmuth. 1997. OS-
Controlled Cache Predictability for Real-Time Systems. In Proceedings
of the 3rd IEEE Real-time Technology and Applications Symposium.
[23] Linux. 2019. SCHED_DEADLINE Policy.
https://www.kernel.org/doc/Documentation/scheduler/sched-
deadline.txt.
[24] C. L. Liu and James W. Layland. 1973. Scheduling Algorithms for
Multiprogramming in a Hard Real-Time Environment. J. ACM 20, 1
(1973), 46–61.
[25] LynxSecure Embedded Hypervisor and Separation Kernel. 2019.
https://info.lynx.com/products/lynxsecure-programmable-processor-
partitioning-system.
[26] Miguel Masmano, Ismael Ripoll, Alfons Crespo, and J Metge. 2009.
Xtratum: a Hypervisor for Safety Critical Embedded Systems. In 11th
Real-Time Linux Workshop. Citeseer, 263–272.
[27] Mentor. 2019. Mentor Embedded Hypervisor.
https://www.mentor.com/embedded-software/hypervisor/.
[28] Clifford W. Mercer, Stefan Savage, and Hideyuki Tokuda. 1994. Pro-
cessor Capacity Reserves for Multimedia Operating Systems. In Pro-
ceedings of the IEEE International Conference on Multimedia Comput-
ing and Systems.
[29] David Mosberger and Larry L. Peterson. 1996. Making Paths Explicit
in the Scout Operating System. In Proceedings of the Second USENIX
Symposium on Operating Systems Design and Implementation (OSDI
’96). ACM, New York, NY, USA, 153–167.
[30] NASA. 2019. cfsLinux. https://cfs.gsfc.nasa.gov/.
[31] Georg Niedrist. 2016. Deterministic Architecture and Middleware for
Domain Control Units and Simplified Integration Process Applied to
ADAS. https://www.tttech.com/technologies/adas.
[32] Roberto Pineiro, Kleoni Ioannidou, Scott A Brandt, and Carlos
Maltzahn. 2011. RAD–FLOWS: Buffering For Predictable Commu-
nication. In 2011 17th IEEE Real-Time and Embedded Technology and
Applications Symposium. IEEE, 23–33.
[33] PREEMPT_RT. 2019. ht-
tps://rt.wiki.kernel.org/index.php/Main_Page.
[34] Morgan Quigley, Ken Conley, Brian Gerkey, Josh Faust, Tully Foote,
Jeremy Leibs, Rob Wheeler, and Andrew Y Ng. 2009. ROS: An Open-
source Robot Operating System. In ICRA workshop on open source soft-
ware, Vol. 3. Kobe, Japan, 5.
13
[35] Ralf Ramsauer, Jan Kiszka, Daniel Lohmann, and Wolfgang Mauerer.
2017. Look Mum, No VM Exits! (Almost). In Proceedings of the 13th
Workshop on Operating Systems Platforms for Embedded Real-time Ap-
plications (OSPERT).
[36] Real Time Engineers Ltd. 2019. FreeRTOS. https://www.freertos.org/.
[37] John Rushby. 1981. The Design and Verification of Secure Systems. In
Eighth ACM Symposium on Operating System Principles (SOSP). Asilo-
mar, CA, 12–21. (ACM Operating Systems Review, Vol. 15, No. 5).
[38] John Rushby. 2002. Model Checking Simpson’s Four-slot Fully Asyn-
chronous Communication Mechanism. Computer Science Laboratory–
SRI International, Tech. Rep. Issued (2002).
[39] H.R. Simpson. 1990. Four-slot Fully Asynchronous Communication
Mechanism. IEEE Computers and Digital Techniques 137 (January
1990), 17–30.
[40] B. Sprunt. 1989. Scheduling Sporadic and Aperiodic Events in a Hard
Real-Time System. Technical Report. Software Engineering Institute,
Carnegie Mellon.
[41] David C. Steere, Ashvin Goel, Joshua Gruenberg, Dylan McNamee,
Calton Pu, and Jonathan Walpole. 1999. A Feedback-driven Propor-
tion Allocator for Real-rate Scheduling. In Proceedings of the Third
Symposium on Operating Systems Design and Implementation (OSDI
’99). USENIX Association, 145–158. New Orleans, Louisiana, USA.
[42] SYSGO. Last release: Version 4.2, April 2017. PikeOS.
http://www.sysgo.com/products/pikeos-rtos-and-virtualization-
concept.
[43] Wind River Systems. 2008. ARINC 653 - An Avionics Standard for
Safe, Partitioned Systems.
[44] Wind River Systems. 2019. Wind River Hypervisor.
https://www.windriver.com/products/operating-
systems/virtualization/.
[45] Siemens Corporate Technology. 2014. Jailhouse Partitioning Hyper-
visor. hps://github.com/siemens/jailhouse.
[46] Tenasys. 2019. eVM for Windows.
https://www.tenasys.com/products/evm-for-windows/.
[47] VxWorks. 2019. https://www.windriver.com/products/vxworks/.
[48] Richard West, Ye Li, Eric Missimer, and Matthew Danish. 2016. A Vir-
tualized Separation Kernel for Mixed-Criticality Systems. ACMTrans-
actions on Computer Systems 34, 3, Article 8 (June 2016), 41 pages.
[49] Wind River Systems. 2019.
https://www.windriver.com/products/linux/.
[50] Xenomai. Last Released: 2018. https://xenomai.org/.
[51] Sisu Xi, Justin Wilson, Chenyang Lu, and Christopher Gill. 2011. RT-
Xen: Towards Real-time Hypervisor Scheduling in Xen. In Proceedings
of the ninth ACM international conference on Embedded software. ACM,
39–48.
[52] Ying Ye, Richard West, Jingyi Zhang, and Zhuoqun Cheng. 2016.
MARACAS: A Real-Time Multicore VCPU Scheduling Framework. In
Proceedings of the 37th IEEE Real-Time Systems Symposium.
[53] Victor Yodaiken. 1999. The RT Linux Manifesto. 12 pages.
[54] Heechul Yun, Gang Yao, Rodolfo Pellizzoni, Marco Caccamo, and Lui
Sha. 2013. MemGuard:Memory BandwidthReservation System for Ef-
ficient Performance Isolation in Multi-core Platforms. In Proceedings
of the 19th IEEE Real-Time and Embedded Technology and Applications
Symposium. 55–64.
[55] Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, and David
Mazieres. 2006. Making Information Flow Explicit in HiStar. In OSDI
’06: Proceedings of the second USENIX symposium on Operating systems
design and implementation. 263–278.
[56] Yuting Zhang and Richard West. 2006. Process-Aware Interrupt
Scheduling and Accounting. In Proceedings of the 27th IEEE Interna-
tional Real-Time Systems Symposium (RTSS ’06). IEEE Computer Soci-
ety, Washington, DC, USA, 191–201.
14
This figure "sample-franklin.png" is available in "png"
 format from:
http://arxiv.org/ps/1908.06807v1
