Mixed-Criticality Scheduling with Limited HI-Criticality Behaviors

. Due to size, weight, and power considerations, there is an emerging trend in real-time embedded systems design towards implementing functionalities of diﬀerent levels of importance upon a shared platform, or implementing Mixed-Criticality (MC) systems. Much existing work on MC scheduling focuses on the classic Vestal model, where upon a mode switch, it is pessimistically assumed that all tasks may simultaneously exceed their less pessimistic execution time estimations, or lo -WCETs. In this paper, a less pessimistic MC model is proposed for system designers to specify the maximum number of tasks that may simultaneously exceed their lo -WCETs. The applicability and schedulability of the classic EDF-VD scheduler under this newly proposed model are studied, and a new schedulability test is presented. Experiments demonstrate that, by applying the proposed model and new schedulability test, signiﬁcantly better schedulability can be achieved.


Introduction and Motivation
The Worst-Case Execution Time (WCET) abstraction models the execution behavior of real-time tasks. Given a piece of code to execute upon a specified platform, the WCET is an upper bound to the time duration needed to finish the execution of a single invocation of that piece of code. Unfortunately, even when severe restrictions are placed upon the structure of the code e.g., known loop bounds, it is still difficult to determine the exact WCET. Furthermore, the occurrence of the WCET is usually extremely unlikely, unless under highly pathological circumstances such as faults.
In order to utilize the significant gap between the actual running time and the WCET, it has been proposed to implement functionalities of different degrees of importance (or criticalities) upon a shared platform. Under such design, for each of the more important tasks, a less pessimistic execution time estimation is ⋆ Supported by NSF grants CNS 1755965, CNS 1563845, and CNS 1717589, ARO grant W911NF-17-1-0294, and fundings from General Motors and Center for Advancing Faculty Excellence of the University of Missouri System.
also provisioned in addition to the most pessimistic WCET. When the more important tasks actually complete by these less pessimistic estimations, less important tasks are allowed to execute as well, so that processor capacities are not wasted. In contrast, in occasional situations where the more important tasks execute beyond their less pessimistic estimations, the less important tasks may be dropped. In order to validate systems under this design approach, Mixed-Criticality (MC) scheduling techniques are needed. Prior research on MC scheduling (see [7] for an up-to-date review) focused on the Vestal model [15], which assigns multiple WCET estimations for each individual task. Typically, in the two-criticality-level case, each task is designated as being of either higher (hi) or lower (lo) criticality. Two WCETs are specified for each hi-criticality task: a lo-WCET and a larger hi-WCET which could be larger than the lo-WCET by several orders of magnitude. One WCET is specified for each lo-criticality task: the lo-WCET.
The Vestal model defines two system modes, each associated with different guarantees. In the normal mode, every hi-criticality task completes its execution by its lo-WCET, and each lo-criticality task should be guaranteed to execute up to its lo-WCET as well. On the other hand, whenever any hi-criticality task does not signal its completion after exhausting its lo-WCET, a system mode switch will be triggered; in the new mode, all of the lo-criticality tasks are dropped in order to guarantee every hi-criticality task to execute up to its hi-WCET. In this traditional MC Scheduling model, all hi-criticality tasks may simultaneously exceed their lo-WCETs, requiring executions up to their hi-WCETs in the new mode. Motivation. However, in some cases, this assumption about the execution of hi-criticality tasks in the classic Vestal model could be too pessimistic. Indeed, having all hi-criticality tasks simultaneously exceeding their lo-WCETs could be non-representative of many real-world real-time embedded systems.
The following two pieces of codes shown in Figure 1 is a toy example to illustrate this motivation in more details. Let us assume both tasks are hi-criticality tasks as they perform some important safety features of the system, dealing with either frozen (task Anti Frozen) or over-heating (task Over Heat) situation. Under normal circumstances, actions in f2() and g2() are more than enough to bring the ambient temperature (around the platform) back to normal range (0 to 50), such that f3() and g3() will not need to be executed. As a result, we may assign lo-WCET of task Anti Frozen as the maximum time to execute f1() and f2(); hi-WCET of task Anti Frozen as the maximum time to execute f1(), f2(), and f3(); lo-WCET of task Over Heat as the maximum time to execute g1() and g2(); and hi-WCET of task Over Heat as the maximum time to execute g1(), g2(), and g3().
A straightforward observation is that, even under extreme situations, only one of the above two tasks will need to execute their final if branches; i.e., there will not be any time instant that both tasks require executions of their hi-WCETs simultaneously. As a result, any analysis following the Vestal model is over pessimistic in this example, as it will need to take the impossible case into consideration, where both tasks exceed their lo-WCETs at the same time.
Note that, when all hi-criticality tasks simultaneously exceed their lo-WCET due to certain system degradation or failure, it is computationally more efficient to characterize such behaviors with the MC varying speed model [5,6,[9][10][11], which better represents the uncertainties arising from the executing speed of the platform, rather than with Vestal model by using multiple estimations of WCETs (due to the NP-hardness [1]).
Contribution. In this work, we propose a new MC system model to cope with more realistic assumptions for real-time embedded systems. The proposed model is more general than the existing well-studied Vestal model in the sense that it allows a system designer to specify the number of hi-criticality tasks that can exceed their lo-WCET simultaneously. We then analyze how this additional specification could impact the schedulability and develop an MC scheduler for this new model. We finally conduct schedulability experiments and compare the results from our scheduler and a classic MC scheduler, namely EDF-VD. The advantages from having only subsets of hi-criticality tasks exceeding their lo-WCET thresholds simultaneously are validated by these experimental results.
Organization. Section 2 describes the proposed MC system model. Section 3 adapts an existing scheduler for the problem, and proves its correctness. Section 4 evaluates the performance of the proposed scheduler under various parameter settings, and compares it with an existing MC task scheduler. Section 5 concludes the work and points out some future directions.

Model and Definitions
Mixed-Criticality Tasks. A MC periodic task set τ is specified as a finite collection of MC periodic tasks, each of which generates an unbounded number of MC jobs. Each task τ i has a period, T i , modeling the time separation between two consecutive jobs of this task, and each job of τ i has to complete its execution by D i time units. In this paper, the tasks are assumed to have implicit deadlines, i.e., D i = T i . The integer time model is also assumed-all task periods are nonnegative integers and all job arrivals occur at integer time instants.
We consider a uniprocessor system where all tasks execute on and share the single processor, while the scheduler determines how it is shared.
A task exhibits lo-criticality behavior if all of its jobs complete execution by its lo-WCET. In contrast, a task is in hi-criticality behavior if any of its jobs requires an execution longer than its lo-WCET, but no more than its hi-WCET. Any other behavior is considered erroneous.
A hi-criticality task τ i can be specified by A lo-criticality task τ j is represented with two parameters τ j = (c j (lo), T j ). T j is the period and the deadline of the task and c j (lo) characterizes the locriticality mode worst-case execution time. For lo-criticality tasks only the locriticality behavior is possible.
The two WCETs specified for each hi-criticality task τ i may come from timing analysis tools with different levels of pessimism: -c i (lo), which is determined by a less pessimistic timing analysis tool (or with less guarantees of being the worst-case for any possible execution condition) -a hi-criticality task may require an execution length of more than c(lo); and -c i (hi), which is sometimes larger than the lo-WCET by several orders of magnitude -it may be determined by a more conservative timing analysis, and it presents the worst-case execution time for any possible execution condition the task may experience.
The utilizations of tasks are defined for hi-and lo-criticality tasks respectively. Each hi-criticality task has two associated utilizations-one in each mode, whereas each lo-criticality task has only one associated utilization as follows: Mixed-Criticality Systems. An MC system is defined to run under two possible modes: a normal mode (lo-criticality mode) where every job completes upon executing for no more than its lo-WCET and a hi-criticality mode where some hi-criticality job executes for more than its lo-WCET but imperatively completes upon execution for no more than its hi-WCET.
The system mode will be switched from lo-criticality mode to hi-criticality mode if any hi-criticality task has exhausted its lo-WCET but has not completed. Only hi-criticality tasks are guaranteed to be met their deadlines under hi-criticality mode.
Definition 1 (MC Task Instance) A MC task instance I is composed of an MC task set τ = {τ 1 , τ 2 , . . . , τ n }, where both hi-criticality tasks and lo-criticality tasks may be in τ . n hi denotes the number of hi-criticality tasks in τ , and n hi ≤ n. Each hi-criticality task τ i is represented as The notion of utilization difference for hi-criticality tasks is defined as follows.
Definition 2 (Utilization Difference) The utilization difference of a hi-criticality task τ i is defined by We assume that the tasks are indexed by criticality-from hi-criticality ones to lo-criticality ones; and hi-criticality tasks are indexed by utilization differencethe larger the utilization difference the lower the index, and utilization difference ties are broken arbitrarily. That is, the hi-criticality tasks are indexed 1, 2, . . . , n hi , and δ i ≥ δ j for any 1 ≤ i ≤ j ≤ n hi .
Then, the per mode utilizations of either criticality task set are defined: Mixed-Critical Scheduling. The MC scheduling objective is to determine a run-time scheduling strategy which ensures that: i) all jobs of all tasks complete by their deadlines if no job exceeds its lo-WCET; ii) all jobs of tasks designated as being of hi-criticality continue to complete by their deadlines (although the lo-criticality jobs may not) if any hi-criticality job requires execution for more than its lo-WCET (but no larger than its hi-WCET) to complete.
Limited hi-Criticality Behaviors. As motivated in Sec. 1, in some systems, it could be reasonable to assume that only a limited number N of hi-criticality tasks that may exceed their lo-WCET and reach their hi-WCET simultaneously, where N ≤ n hi . In contrast, existing MC analysis usually makes the most pessimistic assumption that all of the n hi hi-criticality tasks may execute beyond their lo-WCET and reach its hi-WCET simultaneously. Even if this could actually happen, it can also be viewed as a special case (N = n hi ) under the new MC model we propose in this paper By saying simultaneously (or "at the same time"), we mean within any time window of length T = max i {T i } 6 . That is, at most N hi-criticality tasks can require an execution time larger than their c i (lo) within any time window of length T . Again, please note that the Vestal model is a special case of our model, by assigning N = n hi .
Determine N . In this paper, we generally assume that the parameter N is a parameter given offline, instead of to be determined online by the scheduler. That is, how to determine N is not the focus of this paper, and we mainly focus on the problem of how to schedule the tasks with a valid schedulability test when N is given as an input parameter. Nonetheless, for the sake of inspiring future work, we also briefly discuss a couple of potential sources for where the N parameter could come from. First, it could come from physical constraints in the systems. Different set of hi-criticality tasks may be triggered to perform their hi-criticality behaviors by different physical measurements. Such difference may be significant enough so that they cannot have simultaneous impacts on the system. Second, it could come from contradicting logic control flows in the code. When the code of tasks has branches, which branch is chosen to execute may depend on some global variables. Different task might have the same global variables in their code, and the same global variables control the branch choices in multiple tasks. As a result, it could be logically impossible for some hi-criticality tasks to take their worst branch choices simultaneously. That is, they cannot have their hi-criticality behaviors to have simultaneous impacts on the system.
Third, it could also come from probabilistic analysis if the WCETs of hicriticality tasks are independent [8]. In this approach, the probability of multiple hi-criticality tasks performing hi-criticality behaviors could be calculated as a product of multiple (hopefully small) probabilities for each individual task to perform its hi-criticality behavior. When this product is sufficiently small, the simultaneous hi-criticality behaviors of these tasks could be probabilistically deemed impossible. 7 This setting was also considered in [12,14], which more focuses on the various detailed combinations of tasks that may not perform their hi-criticality behaviors. Therefore, a somewhat complicated scheduling approach was studied there. In this paper, we mainly focused on the maximum number of such tasks only, and therefore enable the applicability of the relatively simple scheduler, EDF-VD.

EDF-VD Schedulability Analysis
In this section, we review a commonly used and adapted MC scheduler, namely EDF-VD [2], which was proposed for the classic Vestal model. We will refine the original analysis of EDF-VD to cope with our less pessimistic assumptions, and derive a new schedulability test for EDF-VD under the new model proposed in this paper.
though it may be already finished by the beginning of the period of interest, or it did not start executing by the end of the period of interest). 7 Or equivalently, even if it does happen, it is viewed as erroneous, and the system design does not take care of it.
EDF-VD. Similar to the classic EDF scheduler, EDF-VD is a deadline-based, dynamic-priority scheduler. In contrast to EDF, EDF-VD assigns virtual deadlines, which are earlier than the actual deadlines, to hi-criticality jobs. In the runtime, their priorities are determined by their virtual deadlines in the locriticality mode; upon a mode switch, their priorities are changed back to their actual deadlines in the hi-criticality mode. Intuitively, the virtual deadlines in the lo-criticality mode provide the room for the hi-criticality tasks to still meet their actual deadlines in the hi-criticality mode, when they occasionally overrun their lo-WCETs. Let τ denote the MC implicit-deadline sporadic task system that is to be scheduled on a preemptive uniprocessor. Prior to run-time, EDF-VD performs a schedulability test to determine whether τ can be correctly scheduled by it or not. If τ is deemed schedulable, then an additional parameter x is computed for setting virtual deadlines to hi-criticality tasks. Each virtual relative deadline T ′ i can be calculated by "shrinking" the actual relative deadline T i by the scaling factor x.
Next, we describe a schedulability test for EDF-VD under the proposed new model and prove its correctness. Note that, when N = n hi , this schedulability test reduces to the one for the classic Vestal model in [2]. Schedulability test. First, given an MC task instance, the parameter x is calculated as follows: By Theorem 1 (to be presented later), this assignment of x will be able to guarantee the schedulability under lo-criticality mode. Then, the schedulability under hi-criticality mode can also be guaranteed if the following inequality holds: That is, given an MC task instance, the schedulability test needs to check whether Inequality (6) is satisfied. The schedulability test returns success if Inequality (6) is satisfied, and failure otherwise.
Upon success, EDF-VD assigns virtual deadline parameters for all hi-criticality tasks as follows: Correctness proof. The correctness proof of the above schedulability test contains two parts: (i) all deadlines being met under lo-mode (Theorem 1) and (ii) hi-criticality deadlines under hi-mode (Theorem 2).
Theorem 1 Under EDF-VD, all tasks meet their deadlines in lo-mode (where all jobs complete upon receiving execution time up to their lo-WCETs) if Proof: By the density test in [13], U lo lo + U lo hi /x ≤ 1 is sufficient to ensure that EDF-VD successfully schedules all lo-criticality behaviors of τ . Theorem follows by rearranging this inequality.
Lemma 1 For any period of length t, total demand by hi-criticality tasks can not exceed Proof: It is assumed that hi-criticality tasks are ordered (decreasingly) according to their δ i values. Consider the scenario that tasks τ 1 , ..., τ N requires for executions more than its c i (lo), than it is obvious that the total demand by hi-criticality tasks can not exceed (U lo hi + N i=1 δ i )t. We prove by contradiction. Assume there is another scenario with total demand larger than the above mentioned case. We can always identify the difference between this new release pattern with the one we have -by "replacing" one job that is released by one of the tasks from τ 1 , ..., τ N by a job released by some task other than τ 1 , ..., τ N , one at a time. We can not directly add any task since we have reached the maximum number (N ) of tasks that can require demands higher than their lo-WCETs. However, since tasks are ordered by their δ i values decreasingly, the demand of new tasks in the period of interest (between the release and the deadline of the job being replaced) cannot exceed the one created by the original job. Therefore, such "swaps" will always result into a decreasing of the total demand, which contradicts our assumption.
Theorem 2 Under EDF-VD, all hi-criticality tasks meet their deadlines in himode if Inequality (6) holds. In the hi-mode, some but no more than N hicriticality job(s) have not completed upon receiving execution time up to their lo-WCETs but will complete upon receiving execution time up to their hi-WCETs.
Proof: It is assumed that the reader is familiar with the correctness proof for EDF-VD in [2], so we will skip many parts of the proof that will look identical. We also adopt all notations there: t f as the first hi-criticality deadline that is missed, 0 as the last idle instant before t f , t * < t f as the mode switch point, η i denote the amount of execution over the interval [0, t f ) that is needed by jobs generated by task τ i . a 1 as the release time of the job with the earliest release time amongst all those that execute in [t * , t f ), and η i .
The proofs of Facts 1 and 2 remain unchanged due to the minimal set assumption and the same strategy used under lo mode. Regarding Fact 3, here we calculate the maximum total hi-criticality demand over [0, t f ) instead, and then sum the cumulative demand of all the tasks over [0, t f ).
From Lemma 1 we know that during interval [a 1 , t f ), the total hi-criticality demand will not exceed (t f − a 1 )(U lo hi + N i=1 δ i ). As a result, we have the following upper bound for cumulative demand of all hi-criticality tasks over [0, t f ): From the infeasibility of the instance (due to deadline miss at t f ), we have The contrapositive is exactly Inequality (6), which is sufficient to ensure hicriticality schedulability by EDF-VD.
Runtime behavior. During runtime, if a lo-criticality job of task τ i arrives at time-instant t a , then the priority of this job is determined by its deadline t a + T i , whereas its priority will be determined by its virtual deadline t a + T ′ i if it is a hi-criticality job. If any hi-criticality job executes for a duration exceeding its lo-WCET without signaling completion, the scheduler immediately discards all lo-criticality jobs 8 and executes hi-criticality hi-criticality tasks according to EDF order with their actual (instead of virtual) deadlines. Moreover, idleness always serves as the trigger to lo-criticality mode of the system.
Additional discussions. Under the MC scheduling approach, lo-criticality jobs will be dropped in the hi-criticality mode, and any hi-criticality job overrunning its lo-WCET will trigger the mode switch. With the proposed model, this dropping may not be necessary. The following inequality should be examined before the system starts any execution: If Inequality (13) is true, then actually no mode switch nor virtual deadline is needed. The system can be scheduled by ordinary preemptive EDF scheduler and all deadlines will be met. This result directly follows from Lemma 1. If Inequality (13) is false, we then apply the MC scheduling techniques described earlier in this section, and examine Inequality (6) to verify the schedulability.
In Section 2, we have proposed a new MC system model that specifies the maximum number of tasks N that can simultaneously experience hi-criticality behaviors within any time window of length max i {T i }. With this additional information in the model comparing to the classic Vestal model, we are expecting a "better" schedulability result for EDF-VD under the new model. In this section, we conduct schedulability experiments to evaluate the effectiveness of the proposed model against the classic Vestal model. Various permode utilizations as well as N 's are considered in our experiments. The MC task instances in our experiments are generated by the MC task generator described in [3], which has passed artifact evaluation.
In each set of our experiments, the average normalized utilization [4] of the generated task set range from 0.5 to 1 with increasing at step size 0.05. For every average utilization, 1000 task sets are generated and the acceptance ratio indicates how many of them passed the corresponding schedulability test (and thus can be scheduled correctly). Figures 2, 3, and 4 demonstrate the effectiveness of the new model along with the corresponding EDF-VD schedulability test under various settings of numbers of hi-criticality tasks (16, 32, and 64) and sizes of N (i.e., number of hi-criticality tasks that can simultaneously exceed lo-WCETs. It is natral that the acceptance ratios will drop when system is more heavily loaded (with higher utilization). However, we notice that our methods maintains relatively higher acceptance ratio even when normalized utilization gets close to 1.
These results also show that, if less pessimistic assumptions (about the N ) can be made, the schedulability can be significantly increased. We do not notice much different in the trends when total number of hi-criticality tasks varies.

Conclusion
This paper extends the classic Vestal model for MC scheduling by allowing system designers to specify an additional parameter, representing the maximum number of hi-criticality tasks that may simultaneously exceed their lo-WCETs during runtime. By simultaneously, we mean within any sliding time window of length less than or equal to the maximum period among all tasks. The wellknown scheduler, namely EDF-VD, has been studied under the proposed model, and a new schedulability test has been proposed and analyzed. Schedulability experiments have demonstrated that by applying the proposed model in place of the classic Vestal model, significant schedulability improvements can be achieved.
For future work, we would like to consider fixed-priority schedulers under the proposed model, in addition to the deadline-based scheduler, EDF-VD, we considered in this paper. The results may also be extended (at a measurable cost) into multi-processor and/or multi-criticality-level cases.