Proof: The Bounds of Schedulability

At the beginning of this chapter the utilisation-based schedulability test was redefined in terms of interference on each resource dimension (Eqn. 4.2) which directly correlates with the resource availability metric used in this framework (Eqn. 4.6). Utilisation-based analysis, as described on Page 44, provides a sufficient schedulability test such that if the conditions are met the µS will meet the deadline. Although it does not guarantee that the µS will miss the deadline if the conditions are not met it can be reasonably assumed that as the interference grows and the schedulability condition is violated to a greater degree the likelihood that the deadline may still be met will decrease.

In order to evaluate the framework the following scenarios must be considered with respect to the workload patterns described in Section 2.3.3:

Scenario 1 Static workload resulting in a continuous level of interference.

Scenario 2 Dynamic workload either random, once-in-a-lifetime, or periodic in nature. Scenario 3 Continuously increasing resulting in greater levels of interference and therefore

Figure 4.6: Visual proof without words of the proposed mathematical framework. For simplicity using single average (µ) values from 5-tuple representing U and RTT.

Scenario 4 Continuously decreasing resulting in less interference and more resources avail- able to the µS.

Using these scenarios the remainder of this section explores the presented framework in the context of the utilisation-based schedulability test in the form of visual and inductive proofs.

Visual Proof

A visual proof, otherwise known as a “proof without words”, must demonstrate using a diagram the mathematical statement that the proposed framework satisfies the schedulability condition de- scribed earlier. Figure 4.6 depicts the framework in the context of Scenario 2 above with a dynamic workload resulting in the assigned deadline potentially being missed. The nature of the sufficient schedulability condition dictates that it cannot guarantee the failure of the µS to meet the deadline as defined by the implication relation =⇒ .

(a) Mutli-dimensional space of the model with respect to r ∈ R and time with the µS’s deadline D.

(b) Instantaneous resource availability α of h and total availability A.

(c) Required resources by the µS, u and U .

The construction of the proof is shown in Figure 4.7 comprising of three stages: Figure 4.7a Multi-dimensional space of the model with a deadline assigned to the µS. Figure 4.7b The observed resource availability varying randomly over time and mapped onto

the coordinate system value j .

Figure 4.7c The required resources by the µS which are greater than those available to it resulting in a response-time RTT greater than the specified deadline.

The following section details an inductive proof for each of the scenarios listed above.

Inductive Proof

In order to demonstrate that the proposed framework is theoretically effective in estimating the response-times of µSs and importantly predicting when and if a RT-QoS violation of a deadline being missed might occur this section details an inductive proof. The general proof is outlined before being applied to the individual scenarios detailed on Page 99.

Before outlining the proof itself there are four assumptions that must be considered:

Assumption 1 Section Section 4.2.2 in Eqn. 4.15 assumes that a given µS will have a consis- tent resource utilisation pattern for a given resource availability configuration. Therefore for a given configuration j the forecast utilisation F will be consis- tent with minimal variation.

Assumption 2 Section Section 4.2.3 on Page 90 in Eqn. 4.20 assumes that the work done by the µS is non-decreasing over time. This means that as the progress is recalculated the new progress value must be larger or equal to the last calculated progress pt−1. This assumption holds true long as the µS cannot fail, restart, or resume

execution from an earlier point. The framework is therefore ignoring faults and failures that are not related to the performance degradation due to interference but focussing only on those discussed in Section Section 4.1 Figure 4.1.

Assumption 3 Section Section 4.3.2 on Page 98 outlines the basic assumption that resource interference results in a slowdown of execution of the µS.

Assumption 4 According to traditional real-time systems execution time calculations the response- time of the µS will be approximately equal to:

max  ∀r ∈ R : U (s)r j  (4.25) Where in a single threaded and single core environment U ≡ C which would be the number of CPU units required to complete (WCET). The framework therefore assumes that these real-time assumptions can be mapped onto a multi- threaded environment by representing the interference as a percentage.

Given the these assumptions using an inductive proof it can be shown that at a given point in time the set of identified points in the model stating that the µS will meet the deadline is sound. Additionally that set is the complete set of resource configurations for which it can be guaranteed that the µS will meet the deadline according to the sufficient utilisation-based schedulability test. It may not be the complete set based on an exact schedulability analysis.

The generic proof is therefore as follows:

Base Case The current resource availability α 7→ j at time t is such that RTTt[j] = D.

Inductive Case If i = j + x where 0 ≤ x ≤ |dr|, incremented in any resource dimension such

thatPR

r ir>PRr jr. Which means that according to Assumption 4: U i = U j+x =⇒RTTt[i] = U i =⇒RTTt[i] = _j+xU =⇒RTTt[i] = _jidxU −U ·x_i =⇒RTTt[i] = RTTt[j] −U ·x_i =⇒RTTt[i] ≤ RTTt[j]

Therefore ∀i ∈ Γ : i ≥ j =⇒ RTTt[i] ≤ RTTt[j]

And ∀i ∈ Γ : i ≥ j =⇒ RTTt[i] ≤ D

Which shows that in the positive case where the µS has access to more resources, indicated by i > j, the response-time will reduce. This can then be applied to each of the scenarios detailed on Page 99 with static, dynamic, increasing, or decreasing interference over the execution duration of the µS:

Static takes the form of the generic proof where αt+1= αt =⇒ jt+1≡ jt:

Base Case The response-time will be less than or equal to the deadline: U

j ≡ Fp=0

j =⇒ RTTt[j] ≤ D

Inductive Case Throughout execution the forecast time-to-finish T T F will be less than or equal to the deadline.

Fp=1

jt+1

≡ Fp=1 jt

=⇒ T T Ft+1[jt] ≡ RTTt[j] − 1

Therefore throughout µS execution at all time points x the time-to-finish will correspond with the original estimated response-time:

∀x ∈ Z+_:Fp=x

jt+x = T T Ft+x[jt+x] = RTTt[j] − x

=⇒T T Ft+x[jt+x] ≤ D − x

Dynamic involves three unique cases whereby the µS either: (A) meets the deadline as expected; (B) fails to meet the deadline; (C) or is expected to fail to meet the deadline but performance improves allowing the deadline to be met. In each case αt+1 may or may not be equivalent to αtbut the average resource avail-

ability from t = 0, the point when the µS is started, to t = D is defined by A according to (Eqn. 4.7). The actual observed response-time will be U_Aas defined by (item 4.25). The three cases are therefore outlined below:

A Is the case where although the interference experienced by the µS is dynamic, at every point during execution the resources required by the µS F in order to complete by the deadline D

are sufficiently provided: Fp=0 jt=0 = T T Ft[j] ≤ D :∀x, 0 ≤ x ≤ D : Px t=0ωt≥ x_D· Fp=0 =⇒ Px t=0ωt≥ Fp=0− Fp=_Dx =⇒ x + Fp= xD jt=x ≤ D =⇒ Fp=0 AΣ ≤ 1 =⇒ RTT[AΣ] ≤ D

B Is the instance where unlike in (A) the total resource availabil- ity for 0 ≤ t ≤ D is less than that required for the µS to meet the deadline. At the beginning though the RTTt[j] ≤ D but

later interference will cause the failure: ∃x, 0 < x < D :ωt=x< up=_Dx V PD t=x+fjt≤ F_p=x+f D [jt=x] =⇒ T T Ft=x[jt=x] > D V RTT[AΣ_{] ≥ D}

Where even one instance of adequate resources not being available may result in the deadline being missed. Which is identified at time x with T T Ft=x > D. In the above equa-

tion the ∧ denotes the logical ”And”.

Additionally in some cases the framework may be able to show that it is not possible for the deadline to be met, even if ade- quate resources were to become available at a later point, such that 6 ∃i : T T F [i] ≤ D.

C Removes the constraint from (B) such that availability of re- sources after x is greater than those originally required and is sufficient for a new forecast under the new constraints of jt=x. As in (B) there will be a point x such that the forecast

time-to-finish indicates that the deadline will be missed: ∃x, 0 < x < D :ωt=x< up=_Dx

=⇒ T T Ft=x[jt=x] > D

However, in this case there will be a point y such that the available resources are more than anticipated and sufficient for the deadline to be met:

∃y, x < y < D :ω_ty > up=x D

VFp=Dy[jt=y]

jt=y ≤ D

V PD

t=y+fjt≥ Fp=y+f_D [jt=y]

=⇒ T T Ft=y[jt=y] ≤ D

=⇒ RTT[AΣ_{] ≤ D}

Increasing is a specific case of the dynamic case (B) where interference is increasing such that ∀x, jt+x< jt. This itself has two cases where (A) the deadline may still be

met because the increase is not sufficient to delay the µS or (B) the deadline is missed.

A If the resource availability is continuously increasing such that the deadline can still be met, the following must apply:

RTT[jt=0] < D

^

RTT[AΣ] ≤ D

B Where the increase results in the deadline being missed the framework will identify at time x, in the same manner as pre- viously, that the predicted time-to-finish is greater than the deadline.

Furthermore there will be a point x ≤ y < D such that there is no configuration i for which the deadline could be met. Decreasing is a basic case such that ∀x, jt+x > jt. This implies that the ∀x, T T Ft+x <

T T F_t+x−fand that the final observed response-time will be less than deadline: RTT[AΣ] < D.

Note however, that in all scenarios, but this one in particular, there is never a situation where meeting the deadline can be guaranteed without knowledge of the interference to come: ∃i : T T Ft[i] > D.

The framework has so far been been theoretically applied to various scenarios of resource in- terference resulting in the periodic updating of the predicted time-to-finish and where appropriate identifying the potential missing of a deadline as well as critically identifying where the deadline can no longer be met regardless of any future resource availability.