26
J Supercomput DOI 10.1007/s11227-014-1127-8 Scheduling analysis based on model checking for multiprocessor real-time systems Walid Karamti · Adel Mahfoudhi © Springer Science+Business Media New York 2014 Abstract Real-time systems (RTS) are omnipresent in several domains. The trend is to use multiprocessor architecture to satisfy the timing constraints of such systems. The model-checking methods have proven to be useful for making the development process reliable at a high abstraction level. Based on this approach, the present paper proposes a new technique for scheduling analysis of a partitioned multiprocessor RTS. Starting from a model with dynamic priority time Petri Nets modeling the system, we have proposed a generation of a reduced states graph. Thus, through the properties of the graph the schedulability is checked. Our approach provides an implementation of a Partition Checker tool, which produces an affirmation of the schedulability or a counterexample in the case of non-schedulable system to reduce the SW/HW space exploration. Keywords Real-time systems · dPTPN · PARC · Model checking · Scheduling analysis 1 Introduction Real-time systems (RTS) are increasingly present in several domain applications such as robotics, multimedia, avionics, control of nuclear power station, System On Chip (SOC )[32], etc. Hence, such domains are characterized by complex applications and require the use a powerful architecture to satisfy them. For an equal power, the W. Karamti (B ) CES Laboratory, ENIS Soukra km 3,5, University of Sfax, B.P.:w 1173-3000 Sfax, Tunisia e-mail: [email protected] A. Mahfoudhi College of Computers and Information Technology, Taif University, Taif, Saudi Arabia 123

Scheduling analysis based on model checking for multiprocessor real-time systems

  • Upload
    adel

  • View
    213

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Scheduling analysis based on model checking for multiprocessor real-time systems

J SupercomputDOI 10.1007/s11227-014-1127-8

Scheduling analysis based on model checkingfor multiprocessor real-time systems

Walid Karamti · Adel Mahfoudhi

© Springer Science+Business Media New York 2014

Abstract Real-time systems (RTS) are omnipresent in several domains. The trend isto use multiprocessor architecture to satisfy the timing constraints of such systems.The model-checking methods have proven to be useful for making the developmentprocess reliable at a high abstraction level. Based on this approach, the present paperproposes a new technique for scheduling analysis of a partitioned multiprocessor RTS.Starting from a model with dynamic priority time Petri Nets modeling the system, wehave proposed a generation of a reduced states graph. Thus, through the propertiesof the graph the schedulability is checked. Our approach provides an implementationof a Partition Checker tool, which produces an affirmation of the schedulability or acounterexample in the case of non-schedulable system to reduce the SW/HW spaceexploration.

Keywords Real-time systems · dPTPN · PARC · Model checking · Schedulinganalysis

1 Introduction

Real-time systems (RTS) are increasingly present in several domain applications suchas robotics, multimedia, avionics, control of nuclear power station, System On Chip(SOC) [32], etc. Hence, such domains are characterized by complex applicationsand require the use a powerful architecture to satisfy them. For an equal power, the

W. Karamti (B)CES Laboratory, ENIS Soukra km 3,5, University of Sfax, B.P.:w 1173-3000 Sfax, Tunisiae-mail: [email protected]

A. MahfoudhiCollege of Computers and Information Technology, Taif University, Taif, Saudi Arabia

123

Page 2: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

architecture can be specified with a single powerful processor or a set of processors.Therefore, using an architecture composed of low processors is required for two majorfacts. Concerning the first one, it is an economical fact. Actually, the cost of a mul-tiprocessor architecture is much cheaper compared to single-processor architecture.As for the second one, it is a practical fact. Indeed, it is crucial to distribute the cal-culus on various specialized processors for some domains like the SOC. This canexplain the growth of the variety of research studies undertaken in the multiprocessorreal-time scheduling, which presents a recent research area whose results are still inprogress.

It is worthy to mention that two main scheduling families exist. Indeed, the first fam-ily consists of the global scheduling family, which is characterized by the absence of thetasks/processors assignment. Actually, each task can migrate between free processorsto continue its execution [6,17]. Nevertheless, the costs of migration and preemptionare very important and no optimal scheduling algorithm exists [19]. Contrary to thefirst family, the partitioned family decreases the preemption and the migration costs.Indeed, this family is specified with two procedures [24]. The tasks are distributedover the processors during the assignation phase, in which the first procedure andeach task cannot migrate to other processors. Next, the second procedure which isthe scheduling analysis of all partitions is conducted to assure that the RTS system issafe. Each partition is considered as a single-processor scheduling problem, in whichoptimal scheduling policies exist [22]. It is very important to detect the schedulingfaults at an early stage to minimize the costs of its correction.

To assure the protection of such systems from failures, it is recommended to applyformal techniques intended to make the development process of the real-time appli-cations from their design to checking reliable.

This allows designers not only to precisely validate systems, but also to checkthe required properties of their behaviors. The specification and formal verificationtechniques could reduce the problem impact. They aim at being a reliable approachand constitute an important and recent field of research. The objective of the formalspecification is starting from an abstract modeling to express the system propertiesby taking into account a set of constraints and therefore, to check that the systemspecification satisfies these properties.

Generally, the choice of the suitable formal method depends on the characteristicsof the system and the properties to be checked. We distinguish two main classes fromproved methods for scheduling analytical and model-checking methods.

The analytical verification provides algorithms characterized with polynomial com-plexity for schedulability checking of a set of tasks [22]. Hence, the results are exactwhen the considered tasks are independent. However, the analytical scheduling analy-sis is pessimist in the case of dependent tasks. To increase the precision of results,especially for a complex system, the use of model-checking methods for schedulinganalysis is growing up.

Particularly, Petri Nets (PN ) [27] are considered as an adequate model checkingthanks to their great expressivity, dynamic vision and executable aspect. Besides, sincethey have been successfully used in RTS specification, it is interesting to use the PNfor the partitioned-multiprocessor scheduling analysis.

123

Page 3: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

1.1 Petri Nets for scheduling analysis

In the present section, the PN dedicated to analyze the schedulability, whose multi-processor scheduling analysis is a recent research area, is introduced.

The PN is extended to Time Petri Nets (TPNs) [26] with the aim of includingthe temporal events. Indeed, a time interval ([date_min, date_max]) is specified ontransitions. Each enabled transition is crossed at an indeterminate date belonging to itstemporal interval, which increases the impact of the main problem of the schedulabilitychecking.

The TPNs face problems in modeling the scheduling policies. In fact, TPNs isdefined as a non-deterministic formalism because when two events are enabled, it isnot specified which one has to be crossed. In reverse, a scheduling policy is knownby its capacity to solve the event conflicts. Several extensions have been proposed tosupport the scheduling policy by adding priorities to transitions.

Roux presents the Scheduling Timed Petri Nets (STPN ), in [28], to analyze periodictasks on a multiprocessor architecture. The priorities were introduced by the inhibitorarcs to support a fixed priority driven scheduling policy such as Rate Monotonic(RM) [22]. The originality of his proposal lies in the calculation of a reduced statespace compared to that evoked by Berthomieu [3] to verify the schedulability. Such aproposal was improved by Lime and Roux [20,21] to support the tasks with variabletime execution.

The STPN [28] adds constraints on the crossing of the transitions to check therespect for the firing interval. Therefore, the check of these constraints is a new dimen-sion added to the problem of scheduling analysis.

Berthomieu [4] in his turn utilized the inhibitor arcs to introduce the notion ofpriorities within the Petri Nets through the extension of Priority Time Petri Nets(PrTPNs). His proposal was based on a method of temporal analysis of the network.Indeed, from a sequence of non-temporal transitions, his method was to recover thepossible durations between the firing of transitions in order. The durations are thesolutions of a linear programming problem.

Since both PrTPN and STPN are TPNs extensions, they retain these properties,i.e., the indeterminacy of the crossing date of an event. However, the modeling of ascheduling policy of a hard real-time system requires that all the dates used are deter-mined. The priority is modeled through the inhibitors arcs added as new componentsto those of PNs. The RTS modeling with Petri Nets gives rise to the models that areoften complex. Moreover, the addition of an inhibitor arc makes the model more com-plex and therefore the extraction of properties more difficult. Besides, for each one ofthe detailed extensions, the Petri model is used to specify the behavior of the system,but the schedulability is checked through Timed Automata. In fact, as the generatedstates graph from the Petri model is a Timed Automata, exploiting an existing modelchecker based on [3] the schedulability is checked.

A deterministic PN extension, Priority Time Petri Nets (PTPN ), was proposed in[13] in which a crossing date is associated with each temporal event. Actually, a tran-sition is valid when its clock shows the date of firing. In addition, PTPN uses a newmethod for the priorities integration to solve the transitions conflict problem. In thismethod, a priority is inserted on the input arcs of the dependent transitions [13]. More-

123

Page 4: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

over, this method allows the mastery of the PTPN model complexity by eliminatingthe use of another component, as inhibitor arc, to specify priorities. To control thePTPN model size, a hierarchical modeling was proposed in [25]. Besides, althoughthe authors have presented an algorithm for building the corresponding states graph,they have not demonstrated the verification of the schedulability through checkinggraph properties.

The previously presented research studies are concerned with the static priority forscheduling analysis. In multiprocessor systems, it is necessary to specify the schedul-ing analysis through dynamic priority [9]. In this context, we suggest two PNs exten-sions dealing with a dynamic priority of which only one is dedicated for schedulinganalysis.

Bause in [8] presents an analysis of Petri Nets by introducing dynamic priorities toreduce the reachability graph. To deal with it, the authors have defined classes of prior-ities that describe the different variances of a transition enabled by different markingsin different model states. Besides, the authors have indicated that the transitions instructural conflict belong to the same priority class. However, such a condition doesnot allow the Petri to support a scheduling strategy that aims to lift conflicts.

In [16], the authors have proposed the first TPNs extension dynamic Priority TimePriority Time Petri Nets (dPTPN ) dealing with dynamic priority via the introductionof a new component. Indeed, the priority is relative to the model state. The schedulinganalysis is shown through the support of the scheduling policy Least Laxity First (LLF )[12] and a set of independent periodic tasks running on a multiprocessor architecture.However, the LLF is not frequently used in practice, because the cost of preemptionis very high compared to the Earliest Deadline First (EDF ) [22]. In the same vein,the authors have proven the capacity of the dPTPN to deal with EDF as well as withthe dependent tasks in [15]. In this stage, the authors have proposed a Petri model forthe scheduling analysis. Hence, a detailed model for the periodic dependent tasks ispresented. However, the size and the complexity of the entire RTS system model areincreased even though the considered RTS is more complex. Hence, the determinationof all reachable states corresponding to the model and the checking of its properties ismore difficult. In [14], the authors have introduced a new modeling strategy to masterthe complexity of the dPTPN model building on object modeling. They have proposeda new dPTPN model component and identified how it can be instanced to specify thescheduling analysis model. Nevertheless, the exploitation of this abstraction of themodel in the construction of model states and the properties checking is not detailed.

1.2 Contribution and outline of the paper

The existing research works based on Petri Nets, such as PrTPNs and STPN , aimto map from the states graph generated from the Petri model to a timed automata tocheck the schedulability of the modeled RTS. The main objective of this mapping isto exploit an existing model checker proposed in [3]. However, in these approachesthe Petri Nets is considered as formalism used only for modeling and it is not ableto check schedulability. The mapping cost increases the complexity of the schedulingproblem.

123

Page 5: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

As opposed to the existing works, the present work is based on the Petri Netsextension dPTPN for modeling and checking the schedulability of a partitioned mul-tiprocessor RTS. This manuscript demonstrates the capacity of Petri Nets to check theschedulability without mapping to other formalisms. To do so, we aim to prove how togenerate a reduced finite graph and check its properties to deduce the schedulability.We also present a checker tool for implementing our approach: Partitions Checker tool(PARC tool). Starting from an RTS partitions description, it is able not only to build thecorresponding dPTPN model, but also to generate and verify the schedulability. Theresult produced by PARC is a confirmation of the schedulability or a counterexamplewhen the RTS is non-schedulable.

The present paper is organized as follows. Firstly, Sect. 2 presents an overview ofthe dPTPN extension and describes the formal description of dPTPN and how it canbe used for presenting a considered RTS via the hierarchical strategy of modeling.Next, Sect. 3 provides the definition of the states graph that can be deduced from thedPTPN model. In this section, the strategy of graph reduction is described and thealgorithm of construction is proposed. As for Sect. 4, it presents the definition of theschedulability using the graph properties. To do so, this study firstly demonstrates thedecidability of the schedulability with the dPTPN model. It secondly shows how theseproperties can be formulated with graph properties and lastly it proposes an algorithmfor checking it. Afterwards, Sect. 5 shows the PARC tool with the experimentationand demonstrates how it proceeds for checking its schedulability. Finally, the proposedapproach is briefly outlined and future perspectives are given.

2 The dynamic Priority Time Petri Nets

The dynamic Priority Time Petri Nets (dPTPN ) [16] is the first Petri Nets extensionable to specify the temporal events and the dynamic calculation of priorities. In fact,to solve the conflict problem of enabled transitions, the priority changes at runtimeaccording to the Nets’ state.

The dPTPN distinguishes between temporal and concurrent events that are sourcesof conflict. Indeed, two types of transitions T (temporal transition Fig. 1) and Tcp

(compound transition Fig. 2) are proposed.With respect to the temporal transition T (Fig. 1), it is an ordinary PNs transition

with a firing date presented with an integer value between braces. This presentationof time is dedicated to deterministic RTS [13,16,25].

As for the second type of transitions, Tcp (Fig. 2), it is a transition with a pre-processing that precedes the crossing to calculate its priority. Indeed, when two Tcp

Fig. 1 T -transition [16]

123

Page 6: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

Fig. 2 Tcp-transition [16]

transitions are enabled and share at least a place in entry, then the preprocessing ismade to determine the transition which will be fired with a priority changing accordingto the state of the network described by the marking M.

Based on scheduling policy, the preprocessing corresponds to the result of an alge-braic formula to determine the priority of an event. Such formula is characterized bythe value of variables and the arithmetic operators. In ordinary Petri Nets, a variableis presented through place and its value is defined with the place marking. However,the arithmetic operators cannot be presented. To deal with this deficiencies, the Tcp

proposes the coe f arcs to define the arithmetic operators.We start with the presentation of the dPTPN formal definition; then we explain

the semantics of the execution. Next, we show the internal behavior of the real-timetask (Fig. 3) with the dPTPN . Finally, the hierarchical modeling is used to reducethe complexity of the model via the masking of the internal task behavior in a newcomponent (TaskC; Fig. 4).

2.1 Formal definition

Petri Nets [27] can be defined as 4-tuplet:

P N = 〈P, T, B, F〉, (1)

where:

(1) P = {p1, p2, . . . , pn} is a finite set of places n > 0;(2) T = {t1, t2, . . . , tm} is a finite set of transition m > 0;(3) B : (P × T ) �→ N is the backward incidence function;(4) F : (P × T ) �→ N is the forward incidence function.

Each system state is represented by a marking M of the net and defined by : M : P �→N. The dPTPN is defined by the 7-tuplet:

dPTPN = ⟨PN, Tcp, T f , BTcp , FTcp , coef , M0

⟩(2)

(1) PN : is a Petri Net;(2) Tcp = {Tcp1

, Tcp2, . . . , Tcpk

}: is a finite set of compound transition k > 0;

123

Page 7: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

Fig. 3 RTS internal behavioral task with dPTPN

Fig. 4 The task object with dPTPN

(3) T f : T �→ Q+ is the firing time of a transition;

∀t ∈ T , t is a temporal transition⇐⇒ T f (t) = 0.If T f (t) = 0, then t is an immediate transition. Each temporal transition t iscoupled with a local timer (Hl(t)), with Hl : T −→ Q

+.(4) BTcp : (P × Tcp) �→ N is the backward incidence function associated with

compound transition;

123

Page 8: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

(5) FTcp : (P×Tcp) �→ N is the forward incidence function associated with compoundtransition;

(6) coef : (P × Tcp) �→ Z is the coefficient function associated with compoundtransition;

(7) M0 : is the initial marking.

The semantics of firing in dPTPN is based on the partial order theory [2,7,18] build-ing on an equivalence relation between the various sequences of possible crossings,starting from the same state. In fact, when two sequences are found to be equivalent,then only one of them is selected. This equivalence relation is based on the notion oftransitions independence.

The dPTPN semantics is presented with a dPTPN firing machine (dPFM). Foreach marking M , the dPFM initializes a set of transitions dFTs composed of theenabled temporal transitions FTs and the enabled compound transitions FTsTcp

. Theinitializations is called Firiability processing.

dFTs = FTs ∪ FTsTcp. (3)

let t ∈ T, t ∈ dFTs ⇔ t ∈ FTs ∨ t ∈ FTsTcp(4)

with

{FTs = {t ∈ T/B ( . , t) ≤ M}FTsTcp

= {t ∈ T/BTcp ( . , t) ≤ M

}

Next, valid transitions are selected from FTs to VTs by applying the Validity process-ing. All urgent transitions must be indicated in VTs to be ready for firing.

VTs ={t ∈ FTs/Hl(t) = T f (t)

}(5)

The dFTsTcppresents all concurrent transitions. To solve this conflict, the dpfm calcu-

lates the priority of each transition using the marking M and the coef matrix. After-ward, the dFTsTcp

is filtered to present only the transitions with the highest priority.This filtering is made with the Step Selection processing. In fact, this processing is ableto select the Tcp transition having the highest priority according to its neighborhood(Eq. 6).

∀Tcp1, Tcp2

∈ Tcp, Tcp1is a neighbor of Tcp2

⇔ ∃p ∈ Psuch that BTcp(p, Tcp1) = 0 ∧ BTcp(p, Tcp2

) = 0 (6)

In this step, the proposed dPTPN is able to support a selection policy.Finally, the dpfm fires all transitions in the updated sets. The firing is described by

the following equation:

123

Page 9: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

∀FT ∈{

VTs, FTsTcp

}, Firing (FT) �⇒

⎧⎪⎪⎨

⎪⎪⎩

FT = VTs

⇔ M ′ = M +∑t∈FT (F(., t)− B(., t))

FT = FTsTcp

⇔ M ′ = M +∑t∈FT

(FTcp(., t)− BTcp(., t)

)(7)

More details about the dpfm and the firing process can be found in [16].

2.2 Task model construction with dPTPN

The system � presents the scheduling formal specification of the RTS. It is definedby the 4-tuplet:

� = 〈Task, Proc, Alloc, Prec〉 (8)

with:

• Task : {T1, T2, . . . , Tn}, with (n ≥ 0) is the number of tasks; each Ti ∈ Task isdetermined by

Ti = 〈Ri , Pi , Ci 〉 (9)

where, Ri , is the date of the first activation, Pi , the period associated with the task,Ci , the execution period of the task for the Pi period.• Proc : {P1, P2, . . . , Pm}, with m ≥ 0 is the number of processors.• Alloc : Task �→ Proc, a function which allocates a task to a processor. Alloc is a

surjective function. In fact, a processor is allocated to at least one task, but a taskmust be assigned to only one processor.• Prec : Task × Task �→ {0, 1}, a function which initializes precedence relations

between tasks.

In previous research works [15,16], we have suggested a specification with dPTPNof the important component of the RTS: the Real-Time Task. In the current section,we briefly recall the proposed task model (Fig. 3).

In fact, the internal behavior of tasks, described in the above figure (Fig. 3), ispresented through two major patterns, the first of which describes the creation, theactivation and the deadline model of the tasks. This pattern is critical at the schedulinganalysis of the RTS. It is modeled for the description of a stop-Marking when it wasa temporal fault in the system.

As for the second pattern, it is the modeling of the allocation and execution of thetask on the processor. The processor is a shared resource between the tasks of the samepartition. The allocation event is modeled through a Tcp transition and the transitionhaving the highest priority under a defined policy (EDF in [16]; LLF in [15]) allocatesthe processor and begins its execution. The execution modeling is dedicated to discretetime and for each tick of the clock, the task is asked for the liberation of the processorif a new coming task has the highest priority.

Figure 3 presents the completed dPTPN model of the internal behavior of the taskT1(0, 4, 2) ∈ Task. It also shows that each state is modeled by a place and every event

123

Page 10: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

by a transition. When it is about an event accompanied with a date of progress, thetransition will take a firing date similar to that of the event.

At first, T 1 is in an uncreated state; it is presented by a marked place (T1UnCreated).The creation is modeled by a temporal transition “T1Creation” which takes a firingdate “0”.

The crossing of “T1Creation” allows to register a mark in the place “T1Created”and “4” tokens in “T1RemainingPeriod” to indicate the start of the first executionperiod. For each tick of the global clock of the dPTPN , the transition “T1IncPeriod”is validated. Besides, its firing leads to the decrease of the remaining duration beforethe deadline and increase of the exhausted time of the period. When the four tokensare moved toward the place “T1ElapsedPeriod”, the period is exhausted, a new periodmust be activated and a new instance of T 1 must be created.

The Tcp−Transitions are used for modeling the concurrent events. In fact, the taskmodel presents three concurrent transitions sharing the place “T1maker”: “T1endCi”,“T1endDeadline” and “T1RelaxProc”.

It should be noted that there is an emergence of those three events when they areenabled. Furthermore, the priority of each transition must be specified for solving theconflict. In addition, several scenarios should be considered to define each priority.The first one is when the task has completed its Ci units and the deadline is triggered.In the scheduling analysis, this scenario is not considered as a non-schedulable task.Thus, the priority of the “T1endCi” transition is higher than “T1endDeadline”. To doso, the coefficients “3” is attributed to the coefficient arc of “T1endCi” and “2” to thecoefficient arc of “T1endDeadline”.

The non-schedulable system is described when the “T1endDeadline” and“T1RelaxProc” are enabled. It means that a new period is triggered when the lastperiod is still activated. Since the “T1endDeadline” must immediately be fired, we mustattribute a higher priority to it and a smaller priority to “T1RelaxProc” (coef = 1). Thecrossing makes a token in “T1Deadline” and retains the token from “T1activated”.This marking presents a stop marking to the dPTPN task model. When this markingis accessible, the task is announced as non-schedulable.

It can be noted that this task model (Fig. 3) is composed of 16 places, 7 T-Transitionsand 3 Tcp -Transitions, and for modeling the system � those numbers are increased.Thus, the complexity of the model and its interpretation become more and more dif-ficult.

It should be distinguished that for each task of �, the model dPTPN is similar. Infact, only the initialization of the model with the firing times and the weights of arcschange. The modification corresponds to the chosen task of modeling. We can considerthe dPTPN model as an object and each task Ti ∈ Task is an instance of this object.

2.3 Hierarchical modeling

The behavioral specification of objects with Petri Nets presents a major tendency tointegrate between objects and PNs. Indeed, the networks are used to describe theinternal behavior of objects, whose internal state is indicated by the marks in thenetwork places. Moreover, the execution of the methods of an object is described withthe transitions.

123

Page 11: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

So, the net structure does not only specify the availability of a method according tothe internal state of the object, but also indicates the possible sequences of methodsexecution by the object. The interest of Petri Nets is to describe the intrinsicallycompeting objects capable of executing several methods at the same time. Furthermore,certain transitions of the net may remain “hidden” or protected inside an object, andtherefore model the internal and spontaneous behavior of an object by contrast to theservices it offers to its environment.

The fundamental concern of such approach is to allow the use of concepts stemmingfrom the objects approach (classification, encapsulation) so as to describe the systemstructure, instead of using a purely hierarchical structuring.

In the “Petri Nets in objects” paradigm, a system is described as a set of objectsthat communicate the behavior of each object being described in terms of Petri Nets.Mostly, these approaches are class based, which allows the association of a PNs witha class of objects rather than with an individual object.

Based on this approach, we proposed, in [14], a new object called TaskC (Fig. 4)to encapsulate the task model presented in (Fig. 3).

“TaskC” is characterized by two interfaces which assure the communication withits environment: input and output. In fact, each interface is a finite set of places. Thegraphical definition of TaskC is presented in Fig. 4 and defined with the triplet:

TaskC = 〈dPTPN, II, OI〉 (10)

with:

(1) dPTPN : is the dPTPN model presented in Fig. 3;(2) II = {PUncreated, PReceivedData, PgetProc}: is the places that composed the Input

Interface;(3) OI = {PReady, PRemainingPeriod, PSendData, PReleaseProc, PDeadline}: is the places

that composed the Output Interface.

The modeling of the interaction between the instances of tasks and the sharing ofprocessors between them is the new RTS model with dPTPN . Hence, we start fromthis presentation to verify the properties of the RTS.

2.4 Case study

In this section, we consider a pedagogical case study dealing with four tasks runningon two processors (Table 1), to show how the dPTPN model can be created. Based onthis case study, we will demonstrate the creation of the states graph and later presenta real experimentation in Sect. 5.

Using the definition of �, the specifications of the task characteristics as well asthe allocation of the processors by the tasks are described as follows.

Task = { T 1, T 2, T 3, T 4} ; Proc = {P1, P2};Prec(T 1) = � ; Prec(T 2) = �;Prec(T 3) = {T 1} ; Prec(T 4) = {T 3};

123

Page 12: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

Table 1 Tasks’ characteristicsof the experiment

Id_Task Ri Ci Period Alloc

T1 0 1 3 P1

T2 0 2 5 P1

T3 0 2 6 P2

T4 0 2 5 P2

Fig. 5 The dPTPN model of the case study

Figure 5 presents the dPTPN model according to the case study. Four TaskC arecreated to model the four tasks of �.

The model describes two types of precedence. First is the precedence betweentasks, defined by the application Prec of �. In fact, a place (Ti 2Tj ) is introduced toindicate the information sent from the task Ti to Tj . Second, the precedence betweenthe task instances is also considered in the model Fig. 5. Indeed, an instance of Ti

can be activated only if the previous one is correctly executed. This information isspecified with the place Ti 2Tj .

3 States graph

To verify the schedulability of an RTS, a states graph describing the evolution of thesystem according to time is required. In fact, it presents a prediction of the differentstates that the modeled RTS can reach.

First of all, we define the state S and the states graph G. Next, we propose thealgorithm of construction.

123

Page 13: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

3.1 Graph reduction

In [16], a states graph (SG = 〈S, A〉) construction algorithm is given. Each state ofthe system is constructed, including the internal behavior of the tasks.

Dealing with complex RTS, the algorithm gives birth to an exponential size of statesand then the properties verification becomes more difficult. So, it is important to thinkof the reduction of the states graph before checking the properties. It should be bornein mind that the reduction must retain the behavioral characteristics of the system.

Regarding the task model (Fig. 3), the hierarchical modeling is used to reduce thecomplexity of the model via the masking of the internal behavior of the task in a newcomponent (TaskC; Fig. 4). In fact, two place interfaces are given to present the com-munication of the TaskC with its neighborhood. In this vein, we take advantage of thispresentation to reduce the states graph. Only the states according to the TaskC inter-faces are required to be presented in the new states graph and the internal behavioralstates will be discarded.

Let us focus on the set of states (ST ⊂ S) covering all those of an instance Ti ofTaskC.

Let s1, s2, s3 ∈ ST and a1, a2 ∈ A with s1a1−→ s2

a2−→ s3. a1 is a dFTs composedof valid and highest priority Tcp transitions according to the marking of s1. We supposethat all the transitions of a1 correspond to the internal behavior task events. Hence,the marking of the input and output places of TaskC in s2 are not changed comparedto s1.

The reduction rule is then defined with an interlacement relation between states asfollows:

If s1a1−→ s2

a2−→ s3 and s2 is an �⇒ s1aα−→ s3, with

internal behavior state of Ti aα = a1; a2.(11)

It is deemed essential to give a new definition of the state s to present only the markingof the input and output interfaces of the instance Ti .

3.2 Definitions

We consider the state STi to describe the current state of the task Ti ∈ TaskC, with STi

defined as follows:

STi : {II, OI, PTask2Task, Proc} −→ N (12)

with:

• II: the Input Interface corresponding to Ti ;• OI: the Output Interface corresponding to Ti ;• PTaskC2TaskC : Set of places which specifies the precedence relations between tasks.

It contains two subsets, the first of which is Ti 2Tj and the second is Ti 2Ti tospecify the precedence relation between the instances of each task;• Proc: the places presenting the processors.

123

Page 14: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

STi is presented as a vector according to an instance of TaskC. For a given date t , thecollection of all states STi of all instances of TaskC describes the state of the RTSmodel. Hence, this collection can be considered as a class of states and it is definedwith:

Sc : {II, OI, PTask2Task, Proc} × TaskC −→ N (13)

Corresponding to the case study (Sect. 2.4), the Sc0 is the initial state. It describesall the initial markings of the TaskC places and the places of communication. It ispresented in the following:

Sc0 =

PUncreated

PReceivedData

PgetProc

PReady

PRemainingPeriod

PSendData

PReleaseProc

PDeadline

Ti 2Ti

Ti 2Tj

P1P2

⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝

TaskC1 TaskC2 TaskC3 TaskC41 1 1 11 1 0 00 0 0 00 0 0 03 5 6 50 0 0 00 0 0 00 0 0 00 0 1 10 0 0 01 1 0 00 0 1 1

⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠

The states graph G is defined by the triplet:

G = 〈Sc, τ, ρ〉 (14)

• Sc = {Sc0 , Sc1 , . . . , Scn }: is a finite set of states with n > 0;• τ = {τ1, . . . , τm}: is a finite set of edges connecting states with m > 0;• ρ: is an incidence relation indicating the successor of a given state through a

transition and it is defined as follows:

ρ : Sc × τ −→ Sc ∪ �(Sci , τ j

) �−→{

Sch if Sch is a successor of Sci

� if Sci has no successor

The construction of Sc and τ , and the incidence relation ρ are established via analgorithm of graph construction.

3.3 States graph construction

The proposed algorithm (Algorithm 1) is an improvement of the algorithm proposedin [16]. Actually, it retains the main characteristics of the dPTPN based on firing the

123

Page 15: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

valid temporal transitions and compound transitions with the highest priority. But, itbuilds only the states related to the communication between RTS components.

The principal variables used in this algorithm are as follows:

– dPTPN : the dPTPN model;– Sc: the set of states;– τ : the set of edges connecting states;– M : the marking of the dPTPN model;– MI : the marking of the places corresponding to state Sc;– dFTs : enabled transitions set;– FTs : enabled temporal transitions set;– dVTs : valid temporal transitions set;– dFTsTcp

: enabled compound transitions set;– Hl: Timers set;

Starting from the initial state of dPTPN model, a vector M is initialized with thefunction initializeMarking(M). M describes the states of all the places of the model.However, we are interested in the communication places between the RTS components:the places presenting the Sc states. Hence, MI is defined to describe this informationand it is initialized from M through the function Sub().

Algorithm 1 State graph construction1: initializeMarking(M)

2: Sub(MI , M) {/*Sub is a procedure allowing the initialization of MI from the marking M*/}3: SetTimer(Hl)4: Sc0 ← StateConstruction(MI )5: index State← 0, index Edge← 06: repeat7: Sc ← Sc ∪

{Scindex State

}

8: τindex Edge ←�, W ← MI9: repeat10: dPFM(d FTs ,M ,MI , Hl)11: τindex Edge = τindex Edge ∪ {d FTs }12: until W = MI or τindex Edge = � {/*Looking for a new M I marking*/}13: if W = MI then14: Succ← StateConstruction (MI ){/*Construction of new state*/}15: τ ← τ ∪ {

τindex Edge}{/*Construction of new edge*/}

16: rho(Scindex State , τindex Edge

)← Succ{/*Checking if the new state presents a deadline*/}

17: if CheckDeadline(Succ)= True then18: FinalState← Succ19: Sc ← Sc ∪ {FinalState}20: end if21: else22: FinalState← Scindex State23: end if24: index State← index State + 125: index Edge← index Edge + 126: until Succ ∈ Sc or FinalState = �

{/*Construction is stopped if a final state is created or the new state exists in the graph*/}

123

Page 16: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

The initial value of MI allows the creation of the initial state Sc0 . From this state,a repetitive process is executed to define all reachable successors states and each oneis added to Sc set. To define the edges set τ , connecting two successive Sc states, the

Procedure 2 dPFM(var d FTs , var M , var MI , var Hl)1: d FTs = �2: if M ≥ B or M ≥ BTcp then3: Firability(d FTs ){/*identifying the enabled transitions*/}4: FTs ← temporalTransition(d FTs )5: FTsTcp

← CompoundTransition(d FTs )

6: if FTs = � then7: V Ts ← V alidi t y (FTs ){/*checking the validity of enabled transitions*/}8: if V Ts = � then9: Firing(V Ts ,M) {/*Firing valid transitions*/}10: Sub(MI , M)11: ResetTimer(Hl(V Ts ))12: else if FTsTcp

= � then13: SetIncrementTimer(Hl(FTs )) {/*Incrementing the timer of enabled and non-valid transitions*/}14: end if15: else if FTsTcp

= � then16: StepSelection(FTsTcp

){/*Selecting the Tcp transitions having the highest priority*/}

17: Firing(d FTs ,M)18: Sub(MI , M)19: end if20: end if

main algorithm (Algorithm 1) calls for the dPFM procedure (Algorithm 2). Indeed,dPFM starts with the markings M and MI as input/output parameters. The body ofthe procedure implements the semantics of the execution of the dPTPN firing process.During the execution of dPFM, the time requirement and the selection policy of thehighest priority of Tcp-transitions are respected.

The dPFM (Algorithm 2) accelerates the firing process with the firing of a set oftransition, dFTs , simultaneously. This property is valid because the dPTPN deals withthe conflict of enabled transitions problem via a dynamic calculus of priorities andonly the transition with the highest value of priority is fired. So, the dFTs contains onlyindependent transitions that can all be crossed together. The novel resulting markingis the combination of a collection of sub-states that can be created if each enabledtransition is fired apart. This technique is known as partial order reduction technique.

Hence, after the firing, the vector MI is also updated. In the case where the updatebrings no change to MI , this means that the fired dFTs is an execution of internalbehavior of components. So, the set of transitions dFTs is registered in τindexEdge anda new iteration to call the dPFM is necessary. When a new marking MI is met, theconstruction of the novel state (successor) is then required and the edge to reach it inthe graph is defined by τindexEdge. Indeed, τindexEdge contains all encountered dFTs ofthe different calls of dPFM, i.e., τindexEdge describes the interlacement relation definedby the (Eq. 11). To connect the state Sci with its successor via the edge τindexEdge, theincidence relation ρ(ScindexState, τindexEdge) is initialized with the novel state.

123

Page 17: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

Fig. 6 States graph corresponding to the case study

Regarding the algorithm, we note that the construction is based on the research ofa successor state. It is important to bear in mind that between a current state ScindexState

and its successor there is a temporal relation, known as logical time. Hence, the dPTPNspecify a type of transitions, temporal transitions, characterized with physical time.An important key challenge is to ensure the reconciliation between the logical andphysical time.

One of the most vital activities of the dPFM machine is the synchronization man-agement of the local timers of temporal transitions relative to the global timer of thetemporal model of dPTPN . The synchronization is for checking the validity of enabledtransitions before firing. If the local timer of an enabled transition does not indicate thedate of firing then the transition is not valid and will be excluded from the dFTs . Theglobal timer is incremented when the dFTs is empty and non-valid enabled transitionsexist. The incrimination of the global timer leads to the incrimination of local timers.

The dPFM respects the physical time during the construction of states and searchesfor a successor from each current state. These two properties of dPFM give birthto an oriented states graph in which each state can exist only if their precedents areconstructed. Thus, the specification of physical time is transformed to logical timein the states graph. The construction of the states and the relation of reachability arefinished when one of three situations is verified. First, the marking of a place of thetype PDeadline describes that its corresponding task is non-schedulable (the Booleanfunction CheckDeadline(Succ) is used in the algorithm for checking the marking ofthe PDeadline places). In fact, according to the dPTPN model of the task, this marking isdefined as a stop-Marking, but according to the entire RTS model it is not. Therefore,the algorithm is stopped at this stage and a final state is announced. The secondsituation is when the current marking M of all the existing places cannot enable anydPTPN -transitions and then the current state ScindexState is considered as a final state.As for the third situation, the construction is terminated when the updated markingMI gives rise to a state existing in Sc and the corresponding edge τindexEdge connectsthe current state to the existing one.

To explain the Algorithm 1, we present in Fig. 6 the states graph corresponding to thedPTPN model of the case study (Sect. 5). Starting with the construction of the initialstate Sc0 (described previously in Sect. 3.2), the procedure dPFM is called to define anew marking. The first activity of the dPFM is the definition of the enabled T and Tcp

transitions, respectively, in FTs and FTsTcp sets, through the function “Firability”. Infact, the current marking enabled T-transitions: T1Creation, T2Creation, T3Creationand T4Creation. The FTs set is not empty and the dPFM calls the function “Validity”

123

Page 18: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

for checking the validity of its enabled transition in the set VTs . All the enabledtransitions are valid. Hence, the dPFM calls for the function “Firing” to fire them andcreate the new marking M.

The function “sub” allows the extraction of the marking MI from M to describe thestates of all the communication places. If the MI marking is modified, compared to itsstates before the execution of the dPFM, then a new state Sc is created. Otherwise, thedPFM is called for one more time. Regarding the case study, the firing of VTs withthe initial marking leads to the modification of the communication places. Hence, thestate Sc1 is created, the edge τ1 = {T1Creation, T2Creation, T3Creation, T4Creation}(Fig. 6).

Corresponding to the case study, 56 states are created (Fig. 6), of which the stateSc56 presents a mark in the place T4Deadline. So, the construction is then terminatedand this is considered as a final state.

4 Schedulability checking

After the construction of the states graph corresponding to the dPTPN model, we looknow for checking the schedulability in the graph. To do so, we present at first thedefinition of the schedulability and how it can be written with the graph properties.Next, we prove how this property is decidable in the proposed model and we confirmthat the reduction retains this property in the reduced graph. Finally, we propose thealgorithm for traversing the graph and checking the schedulability.

4.1 Decidability of the schedulability property in the graph

Before checking the schedulability, it is necessary to guarantee that the dPTPN model-checking schedulability is decidable. To do so, we define the decidability as follows:

M |= � ⇔ ∃A, A able to check � (15)

with:

• M : is the dPTPN model;• �: is the schedulability property;• A: is an algorithm able to check the property.

To prove that M | = �, we will demonstrate the existence of an algorithm A able toverify the property �.

Starting from a dPTPN model, a graph is constructed to present the predictionof the scheduling of the system via a scheduling policy based on dynamic priority-driven scheduling. In the present manuscript, the graph is given from dPTPN modelingof the Earliest Deadline First (EDF ) algorithm to schedule a periodic RTS runningon a partitioned multiprocessor architecture. Hence, the partitioned multiprocessorscheduling reduces the scheduling problem in single-processor scheduling problemsin which the EDF is considered as an optimal scheduling algorithm [22]. Thus, all

123

Page 19: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

the results and properties proved in a single processor are available in the case ofpartitioned scheduling, such as the EDF optimality.

An algorithm is optimal if a valid scheduling of the system exits, and the former isable to find it. Hence, not only EDF is optimal in the considered system, but also ableto check the schedulability.

The dPTPN model corresponds to the specification of the EDF , and the dPTPNsemantics of firing is adequate to the EDF selecting tasks policy. Hence, the con-structed states graph from the model is a prediction of the scheduling sequence basedon EDF algorithm. So, it is not necessary to look at the existence of an algorithm Abecause it already exists (A = EDF ) and then the schedulability (�) is decidable onthe model (M).

The checking of the schedulability is then a check of the graph via the verificationof its properties. So, it is obvious to translate the schedulability to graph propertiesand look for checking them in the graph.

4.2 Schedulability definition

After proving the decidability of the schedulability in the dPTPN model, we looknow for checking it using the states graph. Thus, a translation of the schedulabilitydefinition on graph properties is imperative. Indeed, from the properties of the statesgraph the schedulability is then verified. An absurd reasoning seems to be easier todefine the schedulability with graph properties. In fact, starting from the definition ofthe non-schedulability in graph properties, the definition of the schedulability is thendeduced.

Informally, the non-schedulability is defined as: “an RTS is non-schedulable ifone task belonging to one partition does not meet its deadline”.To specify it, thedPTPN model tasks offers a place PDeadline (∈ O I ) and its marking indicates thenon-schedulability of the corresponding task, respectively, the non-schedulability ofthe RTS. The corresponding state in the graph representing the marking of PDeadline

is the final state. The formal definition of this state is the following:

Let Sc f ∈ Sc, Sc f is a final state ⇔ ∀τ j ∈ τ, ρ(Sc f , τ j ) = � (16)

Focus on graph properties; if the graph G contains an Sc f , then Sc f is called a deadlockstate. Thus, the presence of such state implies the non-liveness of the graph andthereafter the first definition is detailed:

Definition 1

RTS is non-schedulable⇔ Deadlock state ∈ Sc of G⇔ Liveness is not verified in G

In the case of non-schedulable system, the marking of deadlock state indicates whichtasks caused the temporal fault. This description presents important information toreturn to the partitioning tool to reduce the space exploration.

At present, let us come back now to the definition of the schedulability:

123

Page 20: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

Definition 2 An RTS is schedulable⇔ the liveness is verified in G.The liveness in G can be defined with:

G is live ⇔ ∀Sci ∈ Sc; ∃τ j ∈ τ with ρ(Sci , τ j

) = �

The checking of the schedulability is then a checking of the liveness in the generatedstates graph.

4.3 Liveness checking

The states graph generated from the algorithm (Algorithm 1) is characterized withtwo main aspects: finite and directed Graph. First, the number of states and edges arefinite so the graph is finite. Second, the construction is made with respect to the timeconstraints, then the existing states are ordered and all edges connect a state with itssuccessor.

The liveness property checking is assured with the function (Algorithm 3). In fact,the graph is traversed in order to verify the liveness definition presented in the previoussection.

From the initial state, the function begins traveling the graph G. The travelingcontinues while the current state has a successor.

If each state has a successor, then the graph is considered alive and the functionreturns the value “true”. Otherwise, if a state has no successor, the correspondingstate is a Deadlock State and the function return “false”. So, we can deduce thatthe modeled RTS is non-schedulable. Regarding the graph presented in Fig. 6, thealgorithm (Algorithm 3) indicates the existence of a final state (Sc56 ). This state isa Deadlock State for the graph and then the liveness of the graph is not confirmed.

Function 3 Checking_Liveness(Graph G): Boolean1: Current State: local variable for traversing the graph2: Next StateExisi t : unvisited states3: I ndex Edge: edge index4: begin5: Current State← Sc06: Next StateExisi t ← SizeO f (Sc){/*The number of states to traverse*/}7: I ndex Edge← 0

{/*A loop to traverse the graph*/}8: while ρ

(Current State, τI ndex Edge

) = � and Next StateExisi t > 0 do9: Current State← ρ

(Current State, τI ndex Edge

)

10: I ndex Edge← I ndex Edge + 111: Next StateExisi t ← Next StateExisi t − 112: end while

{/*the loop is stopped if a final state exists or a cycle exists*/}13: if ρ

(Current State, τI ndex Edge

) = � then14: return f alse15: else16: return true17: end if18: end Checking_Liveness

123

Page 21: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

Hence, the RTS is non-schedulable. In fact, concerning this state, it presents a markin the place T4Deadline. So, the task T4 is non-schedulable.

5 Partitions checker (PARC) tool

In the present section, we propose the PARC tool implementing the proposed approachfor the scheduling analysis. Starting from a description of a given partition, the PARCtool is able, on the one hand, to present the corresponding dPTPN model and, on theother hand, to supply the schedulability checking.

To demonstrate the usability of the PARC tool, we introduce a real-time experi-mentation.

5.1 Robot footballer experimentation

The experiment presents a football player robot application [33] in which the videotasks for object detection, wireless communications for message exchanging withother devices, motor controls, sensor acquisition, image processing and decision com-putation are included. The studied system is composed of four major parts:

• Acquiring and processing image. It is handled through tasks T2, T5, T7, T8 andT9;• Communication HF : The information exchanges between the robot, the players

and coaches are made by the following tasks: T1, T4;• T6 and T12. Knowing that while T12 is used to send data, T1, T4 and T6 serve

for reception;• Data fusion by task T10 and path computation through T11;• Control of location: it is done through the new trajectory coordinates calculated

by the task T11 and through the current robot position. The location is computedthrough task T3. Thereafter, T13 controls the motors.

The dependencies between the 13 studied tasks are defined in Fig. 7 as follows:As for the system architecture, it is composed of four processors. In addition, the

robot architecture includes a set of memories: cache memory, DMA and RAM. Italso covers a battery and a communication bus. The formal description of the robotfootballer experiment is defined using the system � (Eq. 8), with:

• Task : {T 1, T 2, . . . , T 13};• Proc : {P1, P2, P3, P4};

The precedence function Prec is initialized with:

Prec(T 1) = �; Prec(T 2) = �;Prec(T 3) = �; Prec(T 4) = {T 1};Prec(T 5) = {T 2}; Prec(T 6) = {T 4};Prec(T 7) = {T 5}; Prec(T 8) = {T 5};Prec(T 9) = {T 5}; Prec(T 10) = {T 6, T 7, T 8, T 9};

Prec(T 11) = {T 10}; Prec(T 12) = {T 11};Prec(T 13) = {T 3, T 11};

123

Page 22: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

Fig. 7 Task graph of robotfootballer application

Table 2 The characteristics and the distribution of each task

Taski Ri Pi Ci Alloc Taski Ri Pi Ci Alloc

1 0 20 8 P1 8 0 45 8 P2

2 0 30 15 P1 9 0 40 6 P3

3 0 70 8 P4 10 40 40 10 P3

4 0 20 6 P1 11 40 20 12 P4

5 0 40 15 P2 12 70 20 12 P4

6 0 20 4 P1 13 70 30 10 P4

7 0 40 15 P2 – – – – –

To precisely allocate each task to a processor, the initialization of the function Allocis assured via a partitioning tool. In fact, to generate different partitions, a specificpartitioning tool such as RTDT [31] is required and, for each partition, the PARC isused for analysis.

Table 2 presents the characteristics and the corresponding allocation of each taskof the system � that is adequate to a given partition.

5.2 PARC demonstration

The RTDT tool provides the description of all processors partitions correspondingto the robot footballer experiment in an XML file. This is present in the input of thePARC tool.

An extraction step is required to initialize the attributes necessary for creating themodel. In fact, the set of tasks is initialized with the temporal characteristics of each

123

Page 23: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

Fig. 8 The PARC tool

task. For each processor, its assigned task is extracted from the XML file. Finally, theprecedence relation is initialized.

Since the extraction of all necessary data is realized, the dPTPN model of theexperiments is created (Fig. 8). Hence, the selection of a chosen TaskC on the modelallows the exhibition of the characteristics of its corresponding task.

Clicking on the “Initialize dPTPN model” button, the created model is initializedwith the initial marking. Indeed, for all the places PUncreated of the 13 TaskC, thefour places of processors are initialized with a mark. Besides, all the places Ti 2Ti areinitialized with a mark to indicate that all the tasks can start the activation of the firstjob. However, the dependent tasks are waiting for the marking of their correspondingplace Ti 2Tj to begin the activation of the first job.

At this stage, all necessary data for generating the states graph are ready. The choiceof the “Construct States graph” button allows this generation by applying the algorithm(Algorithm 1). Finally, the “Check Schedulability” allows the checking of the livenessof the graph to deduce the experiment schedulability.

The checking result is registered in XML file, as an output file of the checker tool., If the system is non-schedulable, the file describes the details of the non-schedulablepartition of tasks. Hence, this description is a useful feedback to the RTDT to generate

123

Page 24: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

new partitions by excluding all combinations containing the checked partition. Thus,the feedback allows the reduction of the space solutions exploration.

Figure 8 describes a checking of a given partition. The constructed states graphis composed of 294 states. The checking of the schedulability fails because of theexistence of a deadlock state. The feedback indicates that the tasks T 3, T 11, T 12 andT 13 on the processor P4 are non-schedulable.

If we are to situate our PARC tool with regard to the existing tools, in addition todealing with dynamic priority, we note the following distinctions:

• Contrary to Cheddar tools [30], Mast [11], Times [1], which cannot cover allthe possible states of the system, PARC starts from an initial state to succeed indetermining the error source if it occurs.• Pertaining to other extensions presented in Sect. 2, ROMEO [10] for STPN and

TINA [5] for PrTPN , PARC offer a strategy to reduce the states graph and avoidsthe combinatorial explosion in front of a large number of states. This strategyallows the use of this graph for checking the schedulability without mapping toother formalism, such as the Timed Automates.

6 Conclusion

The dynamic Priority Time Petri Nets (dPTPN ) is characterized by its capacity tospecify time and dynamic priority [16]. Therefore, it proved its ability to supportdynamic priority-driven scheduling for real-time systems such as the EDF policy[15].

To check the schedulability of a partitioned multiprocessor real-time system, wehave proposed an abstract dPTPN model allowing the construction of a reduced statesgraph. In fact, based on the hierarchical modeling [14], we have proposed a simplifieddPTPN model presenting the interaction between RTS components: task/task andtask/processor. Thus, we have masked the complexity of the dPTPN task model in anew dPTPN component to present the task (TaskC). This component provides twoplace interfaces for the interaction with its neighborhood and then the state of TaskC isdeduced from the marking of the interfaces places. Therefore, the state correspondingto the entire RTS dPTPN model is constructed from the states of all TaskC and themarking of the communications places. Based on this description, we have proposedan algorithm to generate the states graph. The edges connecting between the statesdescribe all transitions allowing the updates of the marking of the dPTPN model.

The schedulability checking is transformed into checking graph properties. In fact,after proving its decidability with the dPTPN model, we have defined the schedula-bility with graph properties. Then, an algorithm is proposed allowing the checking ofthese properties in the graph. The proposed approach is implemented in the PARCtool (Partition Checker) and demonstrated through an experiment. We have used anexisting partitioning tool (RTDT) and shown the usability of the tool. In fact, PARCproduces an affirmation of the schedulability of the system or a counterexample inthe case of non-schedulable system. Hence, the produced counterexample presentsfeedback to the partitioning tool to reduce the SW/HW space exploration.

123

Page 25: Scheduling analysis based on model checking for multiprocessor real-time systems

Scheduling analysis based on model checking

In future works, we are interested in the integration of the proposed schedulinganalysis approach into SW/HW space solutions exploration based on model-drivenengineering (MDE) [29]. The main objective is to assure the scheduling analysisof models specified with the Unified Modeling Language (UML) profile ModelingAnalysis of Embedded Real-Time System (MARTE) [23]. To do so, we aim to trans-form these models to dPTPN models and then try to apply our proposed schedulabilitychecking approach.

We also intend to improve the PARC tool to be able to propose an ameliorated par-titioning for tasks causing a temporal fault. Thus, we aim to allow a restrict migrationof some tasks to obtain a schedulable system. In addition, we also aim to consider thesoft RTS in future research works.

References

1. Amnell T, Fersman E, Mokrushin L, Pettersson P, Wang Y (2002) Times—a tool for modelling andimplementation of embedded systems. In: TACAS ’02: Proceedings of the 8th international conferenceon tools and algorithms for the construction and analysis of systems. Springer, London, pp 460–464

2. Antti V (1989) Stubborn sets for reduced state space generation. In: Applications and theory of PetriNets, pp 491–515

3. Berthomieu B, Diaz M (1991) Modeling and verification of time dependent systems using time petrinets. IEEE Trans Softw Eng 17(3):259–273

4. Berthomieu B, Peres F, Vernadat F (2006) Bridging the gap between timed automata and bounded timepetri nets. In: FORMATS, pp 82–97

5. Berthomieu B, Vernadat F (2006) Time petri nets analysis with tina. In: QEST, pp 123–1246. Bertogna M, Baruah SK (2011) Tests for global EDF schedulability analysis. J Syst Archit Embed

Syst Design 57(5):487–4977. Buy U, Sloan RH (1994) Analysis of real-time programs with simple time petri nets. In: ISSTA ’94:

Proceedings of the 1994 ACM SIGSOFT international symposium on software testing and analysis.ACM, New York, pp 228–239

8. Bause F (1997) Analysis of petri nets with a dynamic priority method. In: Azéma Pierre, BalboGianfranco (eds) Application and theory of petri nets 1997, vol 1248., Lecture Notes in ComputerScienceSpringer, Berlin, pp 215–234

9. Carpenter J, Funk S, Holman P, Srinivasan A, Anderson J, Baruah S (2004) A categorization of real-time multiprocessor scheduling problems and algorithms. In: Handbook on scheduling algorithmsmethods, and models. Chapman Hall/CRC, Boca

10. Gardey G, Lime D, Magnin M, Roux OH (2005) Romeo: a tool for analyzing time petri nets. In: CAV,pp 418–423

11. Gonzalez Harbour M, Gutierrez Garciia JJ, Palencia Gutierrez JC, Drake Moyano JM (2001) Mast:modeling and analysis suite for real time applications. Euromicro conference on real-time systems, p0125

12. Goossens J, Richard P; Université Libre De Bruxelles (2004) Overview of real-time scheduling prob-lems. In: Euro workshop on project management and scheduling

13. Hadj Kacem Y, Karamti W, Mahfoudhi A, Abid M (2010) A petri net extension for schedulabilityanalysis of real time embedded systems. In: PDPTA, pp 304–314

14. Karamti W, Mahfoudhi A, Hadj Kacem Y (2012) Hierarchical modeling with dynamic priority timepetri nets for multiprocessor scheduling analysis. In: ESA, the 2012 international conference on embed-ded systems and applications, pp 114–121

15. Karamti W, Mahfoudhi A, Hadj Kacem Y (2012) Using dynamic priority time petri nets for schedulinganalysis via earliest deadline first policy. In: ISPA, Madrid, pp 332–339

16. Karamti W, Mahfoudhi A, Hadj Kacem Y, Abid M (2012) A formal method for scheduling analysis ofa partitioned multiprocessor system: dynamic priority time petri nets. In: PECCS, Italy, pp 317–326

17. Kato S, Yamasaki N (2011) Global edf-based scheduling with laxity-driven priority promotion. J SystArchit Embed Syst Design 57(5):498–517

123

Page 26: Scheduling analysis based on model checking for multiprocessor real-time systems

W. Karamti, A. Mahfoudhi

18. Kimmo V (1994) On combining the stubborn set method with the sleep set method. In: Valette R (ed)Application and theory of petri nets 1994: proceedings of 15th international conference, Zaragoza,volume 815 of Lecture Notes in Computer Science, Spain. Springer, Berlin, pp 548–567

19. Kwang SH, Leung JY-T (1988) On-line scheduling of real-time tasks. In: IEEE real-time systemssymposium, pp 244–250

20. Lime D, Roux OH (2009) Formal verification of real-time systems with preemptive scheduling. Real-Time Syst 41(2):118–151

21. Lime D, Roux OH (2004) A translation based method for the timed analysis of scheduling extendedtime petri nets. In: RTSS ’04: proceedings of the 25th IEEE international real-time systems symposium.IEEE Computer Society, Washington, DC, pp 187–196

22. Liu CL, Layland JW (1973) Scheduling algorithms for multiprogramming in a hard-real-time envi-ronment. J ACM 20:46–61

23. Object Management Group (OMG) (2008) A UML profile for MARTE: modeling and analysis ofreal-time embedded systems, beta 2, ptc/2008-06-09. Object Management Group

24. Sha L, Abdelzaher T, Arzén KE, Cervin A, Baker T, Burns A, Buttazzo G, Caccamo M, Lehoczky J,Mok KA (2004) Real time scheduling theory: a historical perspective. Real Time Syst 28:101–155

25. Mahfoudhi A, Hadj Y, Karamti KW, Abid M (2012) Compositional specification of real time embeddedsystems by priority time petri nets. J Supercomput 59(3):1478–1503

26. Merlin PM (1974) A study of the recoverability of computing systems. PhD Thesis, Univ. California,Irvine. Available from Univ Microfilms, Ann Arbor, No. 75-11026

27. Petri CA (1962) Fundamentals of a theory of asynchronous information flow. In: IFIP congress, pp386–390

28. Roux OH, Déplanche AM (2002) A t-time Petri net extension for real time-task scheduling modeling.Eur J Autom (JESA) 36(7):973–987

29. Schmidt DC (2006) Model-driven engineering. IEEE Comput 39(2)30. Singhoff F, Legrand J, Nana LT, Marcé L (2004) Cheddar: a flexible real time scheduling framework.

ACM Ada Lett J 24(4):1–8. ACM Press, ISSN :1094-364131. Tmar H, Diguet JP, Azzedine A, Abid M, Philippe JL (2006) Rtdt: a static qos manager, rt scheduling,

hw/sw partitioning cad tool. Microelectron J 37(11):1208–121932. Triviño F, Sánchez JL, Alfaro FJ, Flich J (2012) Network-on-chip virtualization in chip-multiprocessor

systems. J Syst Archit Embed Syst Design 58(3–4):126–13933. Veloso M, Pagello E, Kitano H (eds) (2000) Robocup-99: Robot Soccer World Cup III

123