Verification

of Real-Time Systems
Resource Sharing

Jan Reineke

Advanced Lecture, Summer 2015

Resource Sharing

 So far, we have assumed sets of independent

tasks.
 However, tasks may share resources
 to communicate with each other, e.g. through
shared memory
 because resources are sparse, e.g. I/O devices,
duplication would be expensive
 Need to ensure mutual exclusion
 typically by protecting accesses to the shared
resource by semaphores
 Resource Sharing
Why do We Have to Worry about Resource
Sharing?
 Shared resources:
 DataShared
structures,
Resources: variables, main
Data structures, variables,
memorymainarea,
memory files,
area,I/O units,
file, set of the
registers,
processor, I/O unit, the
etc.
processor, etc.
 Mutual exclusion, critical
Mutual exclusion, critical section
section
 When a jobWhenenters a the
a job enters critical
critical
section ofsection
a shared resource,
of a shared resource,
the accesses to the shared
other jobs trying
resource fromto enter
other a
jobs are
blocked.
critical section of the same
resource are blocked.

4 Dec. 03, 2012: Scheduling Theory in Real-Time Systems (lv24075)

 Resource Sharing Affects Scheduling and
Priority Inversion
Schedulability: Priority Inversion
Priority Inversion: A higher priority job is
blocked by a lower-priority job.
Priority Inversion:
Unavoidable when there areacritical
higher priority job is blocked
by a lower-priority job.
sections

normal execution
critical section
J1 is blocked

J1

J2

6 Dec. 03, 2012: Scheduling Theory in Real-Time Systems (lv24075)

Priority Inversion: Another Example
Priority Inversion in the Real World:
Mars Pathfinder
 Priority Inversion in the Real World:
Mars Pathfinder
“VxWorks provides preemptive priority scheduling of threads.
Tasks on the Pathfinder spacecraft were executed as threads
with priorities”
“Pathfinder contained an information bus, which you can think of
as a shared memory area used for passing information between
different components of the spacecraft.”
“A bus management task ran frequently with high priority to move
certain kinds of data in and out of the information bus. Access to
the bus was synchronized with mutual exclusion locks.”
 The meteorological data gathering task ran as an infrequent,
low priority thread, … When publishing its data, it would
acquire a mutex, write to the bus, and release the mutex.
 It also had a communications task that ran with medium
priority.
 Priority Inversion in the Real World:
Mars Pathfinder
High priority Medium priority Low priority
Data retrieval from Communication task Meteorological data
memory collection

“Most of the time this combination worked fine. However, very infrequently
it was possible for an interrupt to occur that caused the (medium priority)
communications task to be scheduled during the short interval while the
(high priority) information bus thread was blocked waiting for the (low
priority) meteorological data thread. In this case, the long-running
communications task, having higher priority than the meteorological task,
would prevent it from running, consequently preventing the blocked
information bus task from running. After some time had passed, a
watchdog timer would go off, notice that the data bus task had not been
executed for some time, conclude that something had gone drastically
wrong, and initiate a total system reset.”
Naïve solution for Priority Inversion

Disallow preemption during critical sections

 It is simple.

 No deadlocks. Why?

 A high-priority task is blocked for at most one

critical section. Why?
 But: it creates unnecessary blocking. Why?
Resource Access Protocols

 Basic Idea:
 Modify (increase) the priority of those jobs that
cause blocking.
 When a job Jj blocks one or more higher-priority
tasks, it temporarily assumes a higher priority.
 Methods:
 Priority Inheritance Protocol (PIP), for fixed-
priority scheduling
 Priority Ceiling Protocol (PCP), for fixed-priority
scheduling
 Stack Resource Policy (SRP), for both fixed-
and dynamic-priority scheduling
 Priority Inheritance Protocol (PIP)

When a lower priority job Jj blocks a higher-priority job,

the priority of Jj is promoted to the priority level of the
highest-priority job that job Jj blocks.
For example, if the priority order is J1 > J2 > J3 > J4 > J5,
 When job J4 blocks jobs J2 and J3, the priority of J4 is
promoted to the priority level of J2.
 When job J5 blocks J1 and J3, its priority level is
promoted to the priority level of J1.

Priority inheritance solved the Mars Pathfinder problem:

the VxWorks operating system used in the pathfinder
implements priority inheritance. The software was shipped
with priority inheritance turned off.
 Example of PIP

 t0: J1 arrives and preempts J3

 t1: J1 attempts to enter the critical section. J1 is blocked by
J3 and J3 inherits J1’s priority
 t2: J2 arrives, but has a lower priority than J3
 t3: J3 leaves its critical section, and J1 now preempts J3
 Weaknesses of PIP
Weakness of PIP
Blocking in PIP:
Blocking in PIP
 Direct blocking: higher-priority job tries to acquire a
Direct Blocking: higher-priority job tries to acquire a resource held
resource held by a lower-priority job
lower-priority job.
 Push-through blocking: a medium-priority job is blocked by
Push-through Blocking: medium-priority job is blocked by a
a lower-priority job that has inherited a higher priority
lower-priority job that has a higher priority from a job it directly bloc
Problems of PIP:
Problems of PIP
 PIP might cause deadlock if there are multiple resources:
PIP might cause deadlock if there are multiple resources

UnderPIP,
 Under PIP,ififthere
there are
are nn lower-priority
lower jobs,
priority jobs , a ahigher-priority
higher-priority
job ca
job
be can befor
blocked blocked
as highforasthe
theduration
durationofofnncritical
criticalsections:
sections.
Chained blocking
 PIP: Chained Blocking
Problem 2: chained blocking – many preemptions

V(S1)
P(S1) P(S2) V(S2)

H Task 1
P(S1)
V(S1)
M Task 2
P(S2)
V(S2)
L Task 3

Blocked
Higher-priority task can be blocked Using S1
by each lower-priority task!
Using S2
Task 1 needs M resources may be blocked M times:
many preemptions/much run-time overheads
 PIP: Blocking-Time Calculation

The set of tasks using semaphore S.

The WCET of the critical section of

task k using semaphore S.
The highest priority of the task’s
using semaphore S.

The maximal blocking time of task i under PIP:

 Improvement:
Priority Ceiling Protocol (PCP)
 Two key assumptions:
 The assigned priorities of all jobs are fixed.
 The resources required by all jobs are known a
priori, i.e., before the execution of any job begins.
 Definition: the priority ceiling of a semaphore R is
the highest priority of all the jobs that use R, and
is denoted
 Definition: The current priority ceiling of the
system is equal to the highest priority ceiling of
the semaphores in use at time t, or if no
resources are in use at time t. ( is less than all
other priorities.)
 Priority Ceiling Protocol:
Runtime Behavior
1. Scheduling Rule:
 At time t when job J is released, the current priority of J is
its priority.
 Every ready job J is scheduled based on its current priority
2. Allocation Rule: When job J requests semaphore S at
time t, one of the following conditions occur:
 S is held by another job and J becomes blocked.
 S is free:
• If J’s priority is higher than the current priority ceiling , R
is allocated to J.
• Otherwise, J becomes blocked.
3. Priority-Inheritance Rule: When J becomes blocked, the
job Jl that blocks J inherits the current priority of J until
it releases every resource whose priority ceiling is .
 Priority Ceiling Protocol: Example

Task A: … P(S1) … V(S1) …

Task B: … P(S2) … P(S3) … V(S3) … V(S2) …
Task C: … P(S3) … P(S2) … V(S2) … V(S3) …

C
Beneficial Properties of PCP

Theorem 1: Under PCP, no deadlock can occur.

Why?

Theorem 2: A job can be blocked for at most the

duration of one critical section.
Why?
 PCP: Blocking Time Calculation

The set of tasks using semaphore S.

The WCET of the critical section of

task k using semaphore S.

The maximal blocking time of task i under PIP:

 Priority Inheritance Protocol vs
Priority Ceiling Protocol

PIP
Bounded priority inversion (+)
May deadlock (-)
Up to n blockings (-)
Easy to implement (+)
PCP
Bounded priority inversion (+)
Deadlock-free (+)
At most one blocking (+)
Not easy to implement (-)
 Schedulability Analysis including
Blocking Times

Theorem:
A set of n periodic tasks under PCP can be
scheduled by rate-monotonic scheduling, if

where Bi is the worst-case blocking time of task i.

Summary

 Resource sharing may cause priority inversion

 Without further action, priority inversion may
be very long
 Priority inheritance and priority ceiling
protocols bound the worst-case blocking time
 Can be incorporated into schedulability
analysis for rate-monotonic scheduling