Dynamic scheduling in the presence of faults : specification and verification

(1)

http://wrap.warwick.ac.uk/

Original citation:

Janowski, Tomasz and Joseph, Mathai (1996) Dynamic scheduling in the presence of faults : specification and verification. University of Warwick. Department of Computer Science. (Department of Computer Science Research Report). (Unpublished) CS-RR-301

Permanent WRAP url:

http://wrap.warwick.ac.uk/60986

Copyright and reuse:

The Warwick Research Archive Portal (WRAP) makes this work by researchers of the University of Warwick available open access under the following conditions. Copyright © and all moral rights to the version of the paper presented here belong to the individual author(s) and/or other copyright owners. To the extent reasonable and practicable the material made available in WRAP has been checked for eligibility before being made available.

Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way.

A note on versions:

(2)

Research

Report

301 Dynamic Scheduling

in

the

Presence

of

Faults:

Specification

and

Verification

Tomasz Janowski,

Mathai

Joseph

RR3O1

A

distributed real-time program is usually executed on a

limited

set of hardware resources and is

required to satisfy timing constraints, despite anticipated hardware

failures.

Static analysis of the

timing

properties

of

such programs is often

infeasible.

This paper shows how to formally reason

aboui

these

programs when scheduling decisions are

made

on-line

and take

into

account

deadlines, toaA and hardware

failures.

We use

Timed

CCS as a process description language,

define

a language to describe anticipated faults and apply a version of _trr-calculusto specify and

verify timing

pioperties. This allows

the

property

of

schedulability to

be

the

outcome

of

an

equaiion-solving

problem.

And

unlike

conventional reasoning, the logis is

_{fault-monotonic:}

rf

correctness

is

proved

for

a

number

of

faults,

correctness

for

any

subset

of

these

faults

is

guaranteed.

Department of Computer Science

University of Warwick Coventry CY47AL

United Kingdom

(3)

Dynamic

Scheduling

in

the

Presence

of

Faults:

Specification and

Verification

*

Tomasz Janorvskil and Mathai Josephz

t

'Ihe _tlnit"dNations University International Institute for Softrvare Technology

P.O. Box 3058. Macau 2 _{Department of Cornputer}_Science

IJniversit)' of Warrvick, Coventry CV4 7AL, UK

Abstract,

A distribut,ed real-time program is usually executed on a

limited set of hardrvare resources and is required to satisfy timing

con-straints. despite anticipated liardware failures. Static analysis ofthe

tirn-ing properties of such programs is often infeasible. This paper shows

how to formally reason about these programs when scheduling decisions

are made on-line and take into account deadlines, load and hardrvare

failures. We use Tirned CCS as a process description language, define a language to describe anticipated faults and appl.'- a version of a

p-calculus to specify and verifl timing properties. This allows the propert,)'

of scheclulability to be the outcome of an equation-solving problern. Ancl

nnlike convent,ional rea-soning, the logic is fa'ult-monotonic: if correctuess is proved for a number offaults. correctness for anv subset ofthese fa.ults

is gua.ranteecl.

Introduction

Consider

a

real-time systerr which consists of

a

fixed number of tasks, each rvith a possibly unbounded numbel of invocations. Some tasks are periodic a:nd

will be invoked at regular intervals by timers; the others are sporaclic tasks ancl

are invoked by some other task or by the environment. Let the tasks be stati-cally partitioned betrveen the nodes of the systern, all connected by a muitiple-access network and each providing resources like clocks, memories and

proces-sors. Clocks are used to implement tir-ners, and asynchronous comlnunicatiot.t takes place using memory to implement Protected Shared Objects (PSO's) [5].

There will usually be more tasks than processors, so at each node the aliocatiort

of local resources is controiled by a reai-time scheduler; tliere is also a protocol for scheduling the netlvork traffic. Tlie hardware of tlie system may be unreliable:

for exarnple! processors may fail, memory lnay be corruptecl and cottttrtutrication may be delayed.

A real-t,irne system operates under both Lesource ancl timing cotrstraiuts, for example

tliat

a task produces 'correct' output rvithin a specified

title.

But such

(4)

deacilines neecl not be restricted to one task and rve let a lranscLctiott relate the

timing of actions in one or r.nore ta.sks. Assume that tasks couttlunicate through PSO's alrcl

tlial

norrrally they are statically scheduled using the ceiling priority'

protocol [5]. \\rhen hardrvare faults occur', ltorvevel, we let dytranlic scheduling

be usecl

for a

more flexible reassignment

of

resources. Verification

of

timing

properties rvill recluire solne a.ssuntptions: (1) about, the speecl and the number of processor.s, (2) about anficipated liardrvare failures and (3) about the ntittir.t'ttttrr

irrter.-arrival tinre betweet] external invocations for each sporadic task.

,finecl _process

algebr.as (e.g. [20, i1,26] ) provide an obvious formal frarrt:

work for

tIis

analysis. But basecl on t]re marirnal parallelisn assurnption _[2'1].

6ost

a.r'e unable

to

represent clela.ys clue

to

resource contetrtion

or

to

uroclel

sclieciuling clecisions clilectly.

illiis

gave rise

to

ClCSR _{[9] n'hich}lrrovides

s1'n-chrolols

tilted

actions ancl asynchrotrous instautaueous evettts, the fortrler

re-solving cornpetition for resources and the latter for syuclironization. BTit CCSR (ancl most other such formaiistns) assulrte the use of fixed priorities ancl are tfius ulsuit,able for rnoclelling dynarlic sclieduling decisious, e.g. to recover frotu

faults. Furtlier, bisimulation-based reasoning is usually insufficient to verify

fault-tolerance:

it

ma,y be possible to provably tolerate a llumber of faults, yet be

un-able t,o provably tolerate only some of thern _[12].\Vitir unpredictable faults, such fatth-ntonolorticily is imltortant but is harcl to esta,blish in tnost branching-t'irne

theories. Finally, fault,-toierant schecluling lias recently received sorne attelltiort

[3,22] bLrt in a sernantic frarnervork lvhich does not give sufficient insight into

horv proofs of feasibility of other scheduliug problerns can be olttaiuecl, antl rvith

synchlonization restrictecl t'o sitlple prececletrcc lletrvectr tasks.

This paper shorvs hou' to realistically analyse the tiruing ploperties of cotltttttt

nicating systems in tlie fratnework of timed process algebras. We use a vcrsiou of

Tirnecl LfCIS _{[26] ancl}use timed plocesses to represeut tasks, to uoclel harclu'are a.ncl to clescribe scheclulers. D1'nan'ric scireduling is rrsecl _{(unlike [8,}

9,6])

and priorities are assigrred

to

tasks. and not

to

individual actions (unlike [8.9] )

This

rnakes

it

possible

to

use

a

single framervork

for

reasoniug, abstraction

and autonatic verification [10] aud to relate scheclulability to equation-solving [21, 17].'lhe language is equipped with the usual transitional semautics and

pro-vides r11ea1s of representing the effects of faults: semantically, using additional

r-labelled transitious, and syntactically, by 'faulty'declarations for process cou-stants [12]. For verification, a version of the pr-calculus which follows timed [26] and modal [14] extensions of Hennessy-Milner logic is used; this is also

fault-monotonic [12]. The logic allows expression of deadlines, transactions aud

euvi-rolment assun-rptions. ancl is able to detect deadlocks a,ncl verify fa.ult-tolerauce.

We start by assuming a,n unlimited nurnber (maxirnal pa,rallelism) of fault-free ltaldrvarc resollrces (Section 2). Assuming fault-free hardn'are, Section 3

provicles an alchitect ural model for describing atid reasoning about systems rvith

liltiterl

resourcos. Sect,ion 4 retains tlie assumption of unlimitecl resotlrces atrd introduces reasoning about

tht

effects of hardrvare failures. For this, the

pro-cess languagt is assigned cliffelent fault-affected settrantics, an(l the logic refine<l

ilto

its fallt-rnonotonic version. 'lhese intpt'ovemetrts a,re cotttbineci in Sectiorl

(5)

5, wfiere

it

is shorvn holv to reason about timing under resource limitations, in

tire presence of anticipated hardrvare faults. Section 6 provides a cliscussiotl.

2 Resource-basedSystems

\Ve first briefly describe a timecl process

(based on a rnodal p-calculus) to express

unlin-rited, fault-free hardware resources.

la.nguage (based on 'l'CCIS) aud a logic

and velify timing properties, assuutiug

2.L

The

Language

Let

A

be a set of actions consisting of untimecl a.ctiolts

(f,)

and tin'iecl actions

e(l),

o1e

for

each non-negative real

I

ancl represeuting

a

delay of

I

rrnits of

time. \4/e shall norrnally exclude I

₌

0 and rvrite

r

instead of e (0), aucl represent

sy.rrr'lrronization b; .orrrplernerrlary rrrrlirnecl acl.ionsn arrd A (u ₌u or,d e (1) :a".1

e(r)). Let

Lc

f.,

f :A-A(.f(e(t))

=

E(l) and

/(a)

=/(a))

alid

I €X,a

set of process coustattts. Also, Iet a

€

,C ancl

a

€

A.

There are three syntactic categories: process expressiotts Pe, declaraliotis

4

aucl processes P'

Pe::=0

_{lXlo'PelPe*Pe}

l:::tllz\tr=P"l lao.1lzloc

(l)

P

::=0

|

pr.zl

I

o.P

I P

+

P I PIP

lP\,

I

P[/]

Inforlrally.0 represents cleadlock, a.P is process P rvit'h plefix o aucl process

P

+

Q

reprcst'nts altematioti. PIQ is usecl for coucurrent coltposition. P

_\

t

for restrictio".

P[/]

for renarning and

pI.:1

for the solution

I

of tlre recttt'sive

equatioDs 21. The cieclara.tions include tire c.nrpty cleclaration

_[],

/1[x'Pe].

to

{eclare

X

as Pe and other constants as in :1, cr O C to prefix n to the right sicle

of all cleclarat'ions in C. and zl

tl

V

to sunl tlte right' sicles of the corresponding

declarations

in C

and

V. It

is assumecl

that

in

pX.A'

X

ancl

all

constants

occulring

in C

are also declared

in

z\. \4re abbreviate

_[[X

₌

Pe]l]''Qe]

as

[X

_'

Pe, 1'

]

Qel and will often write

[I '

Pe I p] for all declarat,ions

I i

Pe

such that predicate p holds. Formally, the semantics of Zl is a pa,rtial function

[Zl]

defining the a,ssignmeut of process expressiotrs

to

process coustants, as itt

Table 1, and rvith dont(A) for the constauts declarecl ir.r A.

The semantics of processes is opera,tional, ancl is defined in Table 2 by

struc-tural induction. closely following [26] . The first rou' of rules applies to all unt imed

act,ions plus

r:

_\

€ LL)

{z}.

Row-s two and three defiDe the passing of time and

apply t,o l,

u

)

0. Thc rules let o.P idie indefinitely

until

the environment is

reacly to sl,nchronize. There is no rvaiting once syttchronization is possible (nlax-irnal progress). i.e. no delay for

r.P

rvhiie PIQ

will

idle unless

P

ancl _Qcan sylc|ronize: Sr(P) includes all actions a of P n,hich a.re possiltlt'rvithin

I

tirne

ruyrits. For exanple, Sr(o.P)

:

_{.},.S1(r.P)

=

0,

Sr+,(e(l).P)

₌

S.,(P) and

.S,(PlQ)

₌

.Sr(P)U.Sr(Q). Time is corrtinuous, and delays do not ca,rtse loss of

ac-tiols

(persistency) or result in reaching clifferent sta.tes (cleterrttinac)'). Ro_rv fortr

(6)

process obtairled by simulta[eous substitution of all constants

Y

in

/([z\](X))

by

tlreir corresponding fixed point,s pr'.a.

In

t,he sequel rve shall appll' obvi

ous extelsiols of the la.nguage to describe value-passing attcl a.ssttttte the rtsrtal

lranslal,iorr itrto

llt.

basic latrguage _[19].

2.2 The

Logic

The logic is a versior.r of the ruoclal p-calculus rvhich follows the tiruecl exteusious

of HN{ logic _[26](nreaning, antong othel things, tha.t rve need infinite conjunction)

and rvhic| for sirnplicit.l', likc tlie process la.uguage, does not allorv for nestirlg

of the fixecl point operator _[13].Let e be a.n etl.rl;tv seqllcllce ancl let 3 clenote

s €

A*

rvith all r's retnoved (ancl deltrys sunltlled).

a=e ri':-nf 7s-=i

/.'\

e[)t-r.s

₌

e(l)ni e([s: e(t)i a(lf[r)s:5(l f u)i

(

j'

T[e forrlulas,|

are built using constants l1 ancl iclentifiers Z, t'regatiotr,

disjunc-tiorr rvhich is possibly infinite, the existential modality. and tlie greatest fixecl point, rvith the other operators derivecl as usual. As in the process language. the

syltax consist-q of formula expressious

fe,

declaratiols

V

and forlnrrlas l,.

Fe

::: tt

I

Z

l-fl.

I

V,er

fe

|

(6)fe

V

::=

_lZ'

Fe)llz

?

FelY

F

::-tIlvZ.Y

_l-F

I

V,err

I

(a)f

For silrplicity rve rvlite

Y(Z)

for the folmula e-rpt'cssiou rvhich is assignecl to Z

by'V alcl as usual assunte that, iclentifiers in V(

Z)

occtr

"vithitr an even ttttllrbt'r'

of legations, each also cleclared in

V.'llhen

the setuautics of

F (Ie)

is clefirrecl

relative to au a-qsigutlettt 6 of iclentifiers

Z

to

process-sets _{and is the set [l:],r}

of processes that satisfy'

M

(we write

_{P I}

,11 rvhcnever

P €

_[;1/]).Pointrvise

inclusion ancl sutliuation is used

to

define

_[zZ.V]o

and we

let [V]o'

be the'

assignnrent of a\I Z € dorn(V) to

_[V(Z)],r'

_[t3].

fftt\t --a,.r

P

[Z\r, =a"1

6(2)

[-M]o

=a"1 P

-

[.lf],

[A,.,

Llo]o =a..1

|,.r[,'1/1],

[r?.Ylo

=a".r

U{6'

| 6'

g

[Vnd'](Z) n1a1,l,l1 =a"y {PlY r,-,,(P

4

P' AT =

6)

+

P'

e

[Mno]

Table 1. Denotational senlantics of cleclarations. dom,(l)):a.,

[a

i! "4](I)

:a.,

[1[r'=

Pc]11-r1:n",

[l

(r _vn(-{)

:d"/

if I

€ dom(A)

if -{:

)''

if Il).

-{e

dom(A)

if

-{

€

donr(l)-

dorn.(V)

if -I

€

dom(l)n

dom(V)

if

-Y E rlonr(V)

*

clom.(A\

0

a.[,r](x)

!,,

t firntrt

f

[lni-\)

(7)

Table 2. Operational sernautics of processes

pt4p, e\e, pt4p, e+e'

p\p'e5e'

;.FT

p

p+aEV V+aEa'

ptaT

pla

FtaE

ptq

-Vat

Ptd

;i-};

;r''+

*P .11il7g.1"F .(,,)rg;

p'('t

p'

p'"1

_P'

q

!:!

g'

,

g!J2:l'.

s,(p)ns,(e)

:0

"t; pgF

-r;ag+ t',.q, --p[lg pld

I

vrr'

' ' '

P

+

P'

_{[a](r){1i---r}

111:+

e'

P3+ P'

P-i157'v

1a'o

/

t't

F

l,-r.J

(I

e rlonr(J))

41J.-+.

p,lf)

Though the logic allorvs verification of timed processes, in general a.n rinlinrited

numbeL of processols is assurnecl

to

be available to execute coucrirrent, tasks. C)onsider, for instance.

n

independent sporadic ta.sks P1, each irrvoked

by

an action a; and responding rvith Dl after 11 units of time, perhaps represerlting t'he spetd of tlre unclerlying processor; Pt

:def

_/rX.[-X

]

ai.e(ti).b,..\]. Let

F _=de.r

_{l\'i'_ruZ(i).lZ(i) ?}

_{Ao..o,lo)Z(i) Afa;lZ'(,rJ))}

lz'(i,t)

:

(bi)tt Albi)z(i) v \,/., (rr)rrn

A,4a,[c)Z'(i,l) A _A,,5,,-_rle_QL)]z'(i,t

*

Ir)]

.F states that if tasks are takerr toget,her then each is either reatly fol itrvocation

ol

is able to complete n'ithin 1,. Since _li"=rP,

_l.F.

rrrtlcss processiug takcs uo tirne, eaclt task must be executccl on its ou'n plocessor.

3 Resource-LimitedSystems

In orcler to reason about the timing properties of comtnut.ticating systents,

it

is

essential to cousicler the limitations of the underlying liardware. Olle approach is to constrain the seura.ntics of pa.rallel cornposition, so that PIQ

4 P'lQ

"not

a,lways" follows P

J+

P', and then verify the properties as usual; auother is have the usual sernantics ancl to verify the properties "rela,tive" to the euviroutttetrt

constraints [15]. \\re take yet auother approach n'hich leaves the sema,titics and the logic unchanged but represents resources syntactically. The rnapping between

Tasks and r?e.sorrrces is the goa,l of lhe Schetluler. Given a set .L of scheduling events and the T'im.ing properties to be estabiished, finding a fea.sible schecluler

(if any) can be represettecl as _{the equation-solving probleru [21,}17]: (T u s k sl Re s otn' ce sl S ch erlui e r )

\tr

|

T i rn i tt, g

This makes

it

possible to represent linrita.tions in the nurnbet'aucl also the speecl of processors. so that tasks need not represeut dela.ys explicitly. We first show

horv a scheclLriel maps tasks to sharecl resources in a cetttralizecl systenr. \Ve sliow

[image:7.595.104.449.146.262.2]

(8)

3.1

Tasks and Resources

Cgrrsicler a set of tasks /ask,;, sotne of thcttr periodic

(i

€

[1,per] ) ancl invokt'd

by tinrers, and thc others sporaclic

(i

_{€ [per'*i.per*.spo])'}atrd invoked bv the

envirolurelt or by sorne other task. Let ?nsfr1 be a simple sporadic t,ask wliich is

ilvokecl by action ?nr fronr the environment aucl rvhich returns a resuit by-oul1.

To represent resource-limited executiotls, let, Td.sfri request a processor (reg,)

irtu'r'recliately after

it

is invoked ancl release the processor (r'eli) rvheu retrtrniug

the r.esrrlt. To t,ake account of the execut,ion speecl, assulle

that

after being

allocated. Trrslr cart only proceecl

if

proviclecl rvith the actions lzicft;.

Ta sk;

_-

4,

f

in,iQ:).rer16.

p X (r).(t icfu rlr _{J) []'( y)}

]

re li.out i('1y). i ni _Q).t'ern.f (r _)]

\\,'e rrse lricl.l to lepresent tlie basic rnachinecycle of the undcrll''iug plocessor aucl

giverr Pr.ocessor'p

(* €

_[1,pro]),speedp. is the minimunt tiure that, must elapse

betrvecu tn'o ticks. Which task is currently executed b1'Processorl depends on thc value receivecl by the last action prl1, (for pt'e-etnpt). The actioti is available

at, any tinre ancl can pre-empt executiott of the current task.

l't'oet ssor'1.' a,.1 prl e(i\.

sX(i).

[X(t)'

pri1,

(7).I

(i ) -t t(speerh ).r

lc*;.I(i)]

'flie

_iclentity'_{of the}executed 1,ask is available to Processor'1 but the cottvcrse is

pot trrre; a task llaJ'be allocatecl to cliffelent, processols clrrling otte ittvocatiott.

r\s contrrrorr iu scheduling theorl'. we assulne that ttrslis cauuot voluntarily'

suspencl themselves. One more assurrrptiou is that all pt'ocessot's sltare a colttlttoll

instnrction set, each taking a. basic tnacirinc cy'cle. Wit,hout cotrttttrttricat,iorr. the cleclarations t,it:k; r1,l

ij

for _{indepenclent tasks}TosAt call only'take ttlo fortrls:

-I(")'licAl.X'(f(r))

I(r) t

ticki.if p(;r:) t,hen

I'(r)

else

I"(r)

./(rr) is assumed

to

be a function evaluation and

p(r)

a test ott tlte argutttent

value

r,

each taking one machine cycle. Any nlore complex courputa,tion

_I

is

assumed to be ma.cle of basic tnachine opelations like

_/(r)

and p(r).

So far lve have only considered one form of invocation. by'action rrln front t'he

environrnent. Tasks ca.n also invoke each other (intry), ofteu as the last actioti

of invocation, and be invoked by tin.rers.

A

tinler (Tinter;) is alrvays readl' to

a.ccept a uerv time period (t,inte;) afl er n'hich

it

rvill tirlreout (lzirrieo'trl; ).

Tinter;'

p-I.[X

:lirrre;(l).I'(l)]

[-{'(l)

t s(l).I'/ !

t irne;(u).I'( u)]

[-\"

:

1??]?€o?di.I

I

tintet(rr).I'(u)]

(9)

3.2

Scheduling

The schedulel' maps tasks to resources. Define tlte following sets of act,ions:

lls

for conrrnuuication bet,u,een tasks a,ncl the scheduler (reqi and rel;). 1-lr for

ac-tions between tasks and resources (licA;)and ,Lsr for actions bet'rveeu tlie schcd-uler and resources

(prlt).

Lel

L

_=a,.fLtsU

Ltr

U Lsr. Thcn using a scheduler

which accepts requests (req;) for processors, allocates tasks to processol's (prlp)'

ancl keeps a,n updated knowledge of available resources

(reli),

tht' nrapping re-sults irr tlie plocess (TaslslResourceslSchedzler)

_\2.

For example, let

_/:

_{[l,.s1.io*perl}

_-

_lI,pro]U

_{f,T}

I'ecorcl the status of t,asks:

if

"f(

t)

: I

then Tas[1 is rvaiting for an invocatiou;

it

f

(i)

=

T

then it

is act,ive

but

rrot. being executecl; ancl

if

_/(t)

€ ll,pro)

then

it

is trrtclt'r' e-\ecu-tiorr ori Processor'.11,).

If

_/(t)

_{= T}

then we say' that Tos[1 is suspenclecl and

if

k 4

rng{f)

then Processorr. is idle. Let initially _"fo(i)

₌

I.

Tlte lelative

'itttpor-tance'oftasks is represeuted b1'their priorities

r:

[1,

spotper)

_{- f.}

trsing

priolities, 7'asA1 n'ill be allocatecl a processor only

if

lno'Iaski of highel prioriti.' neecls one. a.s represente'cl by the scheduler

pX(/o).[f

(/)

₌

"']

s'here preclicate

mcr:r(i.f):a,.t

_.f0):

TA(/U)

₌

T*

?r(i)

>

zr(j)) and

r(/)

₌

_I,ro,=,

reqi.x(flT lil)+

L

t rote t L,r

j

reli' X (

f[L

I

i])+

Inro.r(i..f

_{) L}

o g,n o1.r 1 p;t k()'

x

( _fLk_/i))

Once allocatecl, thc prioritl'-based scliedulel

nili

let a task run until its

comple-tiori.

A

7,trc-etn1tlitte schecluler. itr coutrast, uay't't'place tlie task

(7asl'r)rvitlr

thc lou'est

priolity

anrong all executing tasks,

rrrirr(j,./),

lry the tasli (7'rr.'-{';)

rvith the highest prioritl- alnong suspeudecl tasks, rnar:(r.

_/).

Then prerlicat,e

ntin(j..f)

:a"f

rns(f)

_-

_ll,prol

A

(/(*)

€

[1,pro]

+

n(-r)

< r(t'))

atrcl srtch a

schecluler is

pf

(/o).[f (/)

:

..] n'here

r(/)

₌

_Ir.r=,

recl;.x(flT

_lil)+

I.iii

1s1r'r] reh'

x

(f lL I

il)+

I''nr1

i, _{l )}D r, (,,, g (.f ) pFt r ( i)' x ( f lk I

il)l+

Dnrin(j,J ) n''t 1 1t rtt1' X ( f lf 0 ) I i'T I

i))

For pre-empt,ive schedullng of inclependent periodic tasks, an opt'irrtal alloca,tion

of static priorities is the so-called rate-monotonic order, inverse-proportioual to

tlie tasks'invocatiot'r periods: if periodi

l

periodi tlien ;r(r)

>

n(f ).

3.3

Comrnunication

Assune that tasks commulicate asynchronously througli slra.recl objects. In its

sirrrplest forr-n. such anObje ct provicles some data,storage that can lre reacl using

t,rvo actions (say request and completion) zrncl rloclifiecl, each rvith sortte clela.y

rleluy. Let ,L be thc initial value.

Object _-,i,.₁

pI(I).[-Y(r)'

rrl.t(rl,elay).rr](,u).-\

(r)+

(10)

Suppose ive liave oDj sucli objects and let us rede{ine r?esott,rces to take accottut

of both kirrcls of resources: ResorLrces

-

a"y ll'-l'rPro(:(.ssot'i I lib!-rOb

jecti' Bt

rvitfi

ltutual

exclusiorr over sharecl objects, a lower

pliority

task nlay suspetrcl

a higlier prioritl'task. Fol example,

if r(i) > ;r(f) ) r(k),

llirsk1.

rlay

secule

exclusive access to tlie sharecl objec.t before Task;. Then Tas[,1 has to rvait until

Tcrskl, cornpletes and fasfr, ruay be executecl instead

(priorily

ittt'rrsion). Assune

tliat

in orcler

to

use a shared object Object1,7'as11 first t'etluests access fronr thc schecluler by the action

regt\j):

it

u'ill later perfortll

t.ii(j)

t,,

release the object. This requires sorne adclitional folnts of cleclarations for Tas&'1 :

-\U)

=Ta,riU).nl,.rtl1(t)./',

/r(i).-\'(J')

I(j,.r) =,'utJj).G;

(z).,

r/i(j).-\'

As lick, fepres('lits clel:r-yscaused by thc undelly'ing plocessol's. it neccl uot allPeal

i1 t|tse

<leclarations: deia,ys there' arc only causccl lt1' 1hc sharing of obit'cts

(r.esolvecl b1'the scliedrrler) ancl the tinre

it

takes to access tltelll.

The Ilrltecliate Cieililg

I,riorily

Inheritance Protocol solves _{thc ltloblern}by

assiglilg a prior.itl'to an object, tliat is the rnaxitnumof the pliolit.ies of all tasks

that shale the object p : 11,

obi)-

N'

Thcn each tiure a task obtairls access to all

object. its prioritl.is in-rmecliately raiseci to the ceiling level. Iror a given obiect.

let rlre fulctiop g :

_{ll,objl * l{}

U

_{I}

retuln eithcl the original priorit"'- of the

task accessing the object, or

I

i1 there is no such task. lnitiallr'. g0(/)

- I.

The protocol can rlo\r be aclclt'd to the scliedttlet'. as belou-.

f

(/, r'. ;')

I

Irr,r=t

rcql.I(.f[T

li],s.r)+

I'"'e1r'r1

r

r/;'

\

1

flLl

il's'

ir)+

I'

rr I ₌1

I'e11, ( _J_).-r ( _f_,_sllr(i ₎_{I i).}t _lp(i ) I i)) +

L,o

)* tre11 (

j).r(f.

llL

I i), rls (i) I i))+

I',

o'( t,.r ₎

l)

u

g"

u 1.t t

Ifir

( t )'

r

(/[r'/t]'

g' o)]

*

Irnr:n (j,.f ) lm.rr; r (

t)'I

( f lf 0) I i'T I il' g'

")

3.4 Distribution

The ntapping betrveen tasks and l'esources has so fa.r assunrecl ttse of a c.elllral-ized scheclpler. Suppose instead that ta.sks are partitionecl betrveen ntl

>

0 nocles (i\,o|ei ) ar.rangecl into a logical ring and counected by a rnultiple-acccss uett'ork (-\relrirort'). Each nocle provides computing lesoulces iike clocks, tlletnorl' and

processor.s and each has a local scheduler. The actions at i\{orle'rvill lle clistin-guishecl lrl.tlie srrperscript

i,

l{odei -ae.1 (TcrsksilRfrotLrces'lSche,/u1e

ril\It.

Suppose that each ta,sk has a local object (Object;

for'faski)

to holtl tlie sequences of ruessages to be st'nt.'fhc sencling o{'a utessage rrr is thett tept't'sctttecl b-t' the follorving rleclar;rtious:

-\(rrr)'

rrrt/i).trt;.rcli(s).i,'J,1i;.II1rrr,.sI

-I1(rrr,.s)

i

licl;.I2(s:

nr)

(11)

Silce we assulne that tasks cannot voluntariiy suspend thet.ttselves, a task cau only invoke a reurote task ancl rvrite to a rentote object. Therefore data messages lia.ve tlre forur n.c.j.r' rvirere tt

€

[1, ncl] is a node (n

I

i),

c is either introAe or

urite,j

identifies the task (c

_-

irrt'oAe,

_i

€

[1, spo" 1per"f) or object (c

=

Lurite,

J e [1, obj")), and tr is tlie value passed to the ta.sk or rvritten to the object.

tlnlike the scheduling of local resources (processors or objects) betlveetr tasks, the schecluling of netrvork traffic (deciding which node is allowed to transmit and

for Iow long) cannot be done centrally. We siiall use a simple protocol based on

a cir.culating tokern (lofre rr). After receiving the token, y'{ode' nray trausurit ottc message (thc first message of the highest priority task) before passing the token

to

IYodei*r.

A

task Tcsl'', u'it,h the highest priority is used to irlplement the

protocol on each nocle. This task is spora.dic, iuvoked by action irz" and producing

a result bV

""tl

.Given a function lr(i) on

[i,nd]

which returus eit]rer

I

ol

t'he last message receivecl fronr Arode; (40(t)

₌

I),

tlie ttetrvork is defiled belorv.

l{

etuork

_-a,y

StX(h6).[f(/r)

₌

Do1;y=t

out\(r).X(hl,

I

jD+

D n11 y7

t

1,r(

t +tt _"'oo _"o

(lr(j)).r(Atr/i]

_)]

Let tasks be ordered accorcling t,o decreasing value of priority, u'ith tire tasks

of tlre same priority orderecl by the uurnber

(j).

Given

j

€

[1' spo" + per"], lct

suc(j) return an irnmediate successor of

j

or' _L

if

there is uo successor. 'lheu

r

deternrines not only the importauce of tasks but also of messages: Task\ _-a".1

pI.[X'

...]

_and_{I'ask\(token):a"y}

_{p]''lX' "']}

rvith the cleclalatiotrs belorv.

-\

=

irtirp').tttfr.-\r

(r)

irtr'ocat iotr

Ir(r)

_'tick\.if

;r:

f

token lhe n X2(:r:) eise

)'l(0)

tokerr receivecli

Iz(r)

_'

tick\.i

_{f t f}

i.c. j.u t,hen X3(t) e/se -Xa(c, j, '"-) for us'/

-Ys(.r) 'r'elt.oudlr;.-f

forrvard

r

X/c,

j,u) :

tick\.if

c

₌

inuoke. then X5(j.

r)

else ,Yo("r,

,)

invocation?

Xs(l,

r)

=

re{,.;nr'11u;.f

invoke ₇

Io(-1,

r)

_':

veil(j).rL,ri

_{t,'l.r-1'r(,,).rt}

write to

j

-;

X,

: i.el',.X

release

Yt(j)

=

tick\.\'2$uc(

j))

sn'raller priority

Yz(il

_'

tick\.if

_i

₌

Lthen

\\

else

7'a(i)

the smallest'i

Yj

_{=;i.orir(loken).-Y}

elease trud foru'arcl

\'+(

j)

=

vdilU) rAj.ra',l4.iift(r).Y!(r,

s)

read

j

)!(.r,s) 'tick\.if

s=e

then

l'l(j) eiseYo(r,t)

notnessages'i

)'o(-1,

") '

tfcfti.)'7(j. s6.

s)

take tlie liead

1'7(j,m,s)

_'ffcki.Ii(j.

rn.

s/)

a'ke the tail

l!(j,

rrr. s1

=

re(r111.r.7;(").r€i

l(i).)'g(rr)

rvrite thc t,ail

-;_

I!(nr)

I

,'e l'1.ottt'r(m)l*" (toke

n).I

release atitl setrd

f ,et .\ orlr iltol'" n) be like .\'otlrt lrul n ir h fu.s{'i (lol't n ) replacirrg

Tu"l'!

arr<l le t

l,{orler holcl t,he token initiall.v. Tiren for Lc contaiuing actions rirr" ancl otrl", rve

(12)

3.5

Speciffcation,

Verification

and Equation-Solving

So far rve have shorvn hon, a sirnple timecl process algebra fi'amervork cau be used

to

builcl a fairll' general rnoclcl for corrrt'uut.ticating systeus rvhich is capable o1'

representing resource-linrited executions. We shall now shorv horv the timecl and

untin'red properties of such s1'stems can be specified ancl verified.

Cionsider tu'o actions. a ancl 6, fol which

it

is required that x'ltertevet o occurs. b occurs at tnost d later (71fu,b,d)) or d earlier (72(t'b'd)).

T\(a,b,cl) =a,1

uZ.lZ

'lr.]Z'(0)

A

_/1,*"lalZl

lZ' (t

)'

(b)1/

^

[b)Z v V,,(rr)lrA

A,lulr)z'

(t) A

_A,.a-,

_le(u))Z'(t

+

u)l

T2{a,b,d) =a,,1

vZ.[Z

'ltL]Zt(0) A |1,*"lctlZ)

[Z'(t).ft]f

f

tA,7rl")Z'(t)

Afi.,r.o[e(u))Z'(t+ tr)

_lt

< d]

lZ' (t

)'

lb)Z A A,,*blalZ'

(t)

|

t >

d)

A sir-nple functional propert,y, iu contrast,, l'ould state that if tlie value

r

rec.eivecl

b1'action

n(r)

satisfies a prr>couclition pre(;r), the value y of b(g) nrust satisfl'a post-condition posl(r,y). This, plus the timing requiremeut that b(.y) occurs uo later tharr 11 after

n(r),

is defineci by the predicate belon'.

Ti(t(t:):

pre (.r), b(y) : post(r,y),d) =a".r

uZ'[Z

_{=A".,7,'.1"y[(Q))z'(0,r)} A _A',-r''"_{r"-rla(t:))Z)}A

_/\,,*.lo]zl

lZ' (t . .r' )

=V !),r,o.", (,,u r ( (D( e ))

tt

n lb( y)) Z ) v V" (cr) tt n

A,,tlr,)Z' (t) A _A,,<.r-,[t(u)lz' (t + u)l

It

is also eas)' to clefine tliat, o occul's nit.h periocl

p

ancl ji11er 11. relative thc beginning of each peliocl. Predicates such as this catr be usecl as the l;uilclirtg

blocks for typical transact,ions, relating lhe timing and values of task ittteractious.

A fransactions s,ill typically rcla,te the input to a. task (Taski) u'itli t'he otttPut

frorl

another t,ask (Tn.si';) which tnay

uot

be on the satrle trode. Let 7irs,t;

be loca.ted at .Nor/e",'l'cr.ski

aI

ltiode"' and after the action irri(:r:) irr ivhich rr'

satisfies the pre-conclition

prr(r),

action

ou{'(U)

must occur no earlier tlian d1

ancl no later than t/2 ancl

*'ith

g satisfying the post-conclition posl(.r', y)' Transaction -a,.s Tl(itt'i'@) :

pre(r),"".{'@):

post(.r:, y), ri _1)A

A., ., Trli''o' 1'1'

_^'{i'

6) , _'12)

With lirnited conrputing resoufces and in the absence of assumptious about hon'

often

inf'

arrives.

it

is in general impossible to nteet this transaction. Let d2 be the minimum intet'-a.rrival time for action zrrl':

.'1.)-stl?7?pl io?? _{=,ir.f A,,,,}T2( i n'l ( r: _)'rinl' ( y), rl z )

Tlren given a real-tirrrc s)'steln (Sysl,etn), the properties of trausactions trrust

orrly be verifie'cl rvheu tlrc assrtmptiotrs ale satisfiecl.

,9yslent _{l,,lssurrrptiort}s

)'f

ransrLctiort s

(13)

And

if

System has the form clescribed earlier, verification

will

take a

full

ac-count of the constraint,s imposed by the underlying irardrvare, for centralizecl

and distributecl systems lespectively.

(T a s k sl Re sow' ce sl S che dule r)

_\I

_l,4ss'rrrnplrio??s

+

T r an s act i on s (l{oclel (token)lli!_tl,{ocle'lhretuork)

_{\r. F}

Ass'uttptiorts:+ Tr(i.tlsacti.orts

One more advanta.ge

of

representing resource coustraittts syrrtactica.lly is t,hc possibility of fincling a feasible scheduler

(if

one exists) automatically, as tlie

rvell-knolvn equation-solving problem. Tlie problen has attracted sotne attention

[21, 17] and algorit,hnric solutions have been plol;osecl ancl inrplerttcnted [10].

Fault-Tolerance

for Unlimited

Resources

In

Sect,ion 2 rve introduced a general framenork for desclibing and reasouiug

about distributed ancl rea.l-time systems and in Section ll showed horv to represeut

and verify systems rvhich can only rely on limitecl (in terms of the nun.rber aucl

speed) set of hardu'are resources. And we made

it

very specific of iiorv hardrvare

(processors, memor)'. clocks or communication media) should behave in older for propelties of tlie overall systen to hold. \\/e non' shorv horv to reasou about

systems that ale designed to sustain anticipated hardrvare failures. to shorv that

thel'are provably fault-tolerant. \Ve continue clesclibing faults ancl their effect

on t,he semant,ics of TCICS, and then show horv rve can prove fault-tolera.uce. fot'

given assumption about fa.ults and first for unlintitecl rcsollrces.

4.L

Faults and

their

Effect

The fault-tolerance of a system is ofterr verifiecl by synt:rctically' tlansfolnring

it

irrto its fault-affecled version and then verifying its properties as

if

no faults are present _[18].This method allows sta,ndarc] techniques to be usctl for proving

fault-tolerance, so \\re begin by examining irou'

it

ca.u be rtsed itt our logic.

For a process _Q,assume that a 'faulty' declaration

f,

iu

geueral diffelelt

from 'normal' declarations being part of the syntax of

_Q,

is used

to

specify

arrticipa.ted _{faults. Let Q}be transformed

intoT(Q,P)

to represent the eflects of

such fauits. The transformatiou is clefined as follorvs.

T (0,\I/)

:a"1

0

T(pX.A.V)

_{:d"r tlx.(AfiV)}

T(o.Q,i!)

-a"1

a.T(Q,V)

T(Qt

+ Qz,V) =a"r

T(Qr.\I')

+ T(Q2.{r)

T (Q

tlQz,i!)

:a,,J T (Q _r,{/)lT(Qr.{/ ₎

T(Q\

L.tI/)

=a".rT(Q,f)

\

I

T(Qlel.v)

=a" 1 T(Q,V)lsl

Assrune that

7(Q,f)

is well-definecl. i.e. all coustant,s declared. ancl sinct'

farrlts are autononrous, a.ll expressions

_[rZ](I)

ale t'itlier prefixecl

ll1-r

or a.ltr

(14)

a surllnation of such expressions. Such a 'faulty'' declaration

{'

is gcnerated b1' tlre abstract syntax V

:::

r

O

c

I tZ.} V. Sorrle exatllples are a processor rvhiclt 1ra-r- clecide to tick early, a tirtrer n,hic.h tnay tirneortt late. a shared object rvhich

sornetimes fails

to

remernber a. rvritten value aud

a

ttetwork ivhich mav lose nlessages. Such faults are rePresentecl by the rleclarations below.

V1.,o,,,,o, _=,t,1

r

(.a)

_[X(t)

_{'prl6(j)'I(.r) +:(}

speetll

-

1)'l1cA','-f (i)]

Vri,,rr,

=tte.1

r

Q)lX"

₌

l1l;.tr'rnrotrt;.-Y + lzirnel(u).f '('u)l

Vobje,:t

_=d"1

r

6r

_{[I(r) :}

rr!..llel,tu1.r'rl12).I(r)f

ul(y).e(rleln9).I(,r)]

V,etttork =d".J

r

(l

[f

(ft)

₌

f

(lr[f/j])]

Horvever, given

a

process _Q,a spt:cification

I

of fault's artcl

a

propelty' ,F

tlrat rnust liold ciespite these laults. verifying

_{T(Q,V) I f,}

is not suflicient to

prove that Q is _{lault-tolerant Ii2].}

It

is uecessary' to take iuto accoutrt that faults are unpredictable: after proving coLLecttress for a uumber of anticipated fauits. correctlless for any sul)set of tliese fault rnust be (provably) guaranteed. This.

horvever. is not the case for Q and

f

belolv because

T(Q,V)

=

I- (in thc pl'esence of all faults) but Q

F

,F, (in the abseuce of faults).

Q

:a,f gf.

[X

₌

6.I"]

[X'i

c.I"-+ 6.I"

+

r.X"')

rlt :de.f

r

r.-,

_[-I

3

_-I/]

[X"

₌

b.I][I"'

?

u..X"

* r.I]

f

--ac,t [e](o)ti

'f[e

leason is action r-r rvhiclr is only'possiblc itr tlie plesenct'of faults. But

everi if Q

=

I-

alrrl T(Q,II/ + O)

_{? l', t;}

rna,Ji no lougel holcl if

onll

sonre of thc

farrlts are present'

(T(Q,V)

_f

F),

as belorv.

'_lhis _is_beca.use_{the faults}0. may lesult irr the state

X"'but

therr action b

is only possible in the preseuce of @. The property of _{faull-monolotticily}ts nol

assured

in

this logic

or

in

many ot,hel senra.ntical tlieories

for

brauching tirne

(bisimulatious, testing equivalence, etc).

'Ib

_{defile a fault-monotonic}version of the logic, hou,eveL, lr,e tteecl to first, definc tlie fault-a.ffectecl semantics of the language explicitly. \\re clo so rrsitrg r.elation

r;+

for f-a.ffectecl trausitions. rvith r;-+ defirrecl sirnilarll'1e --+ . but

nith

one aclditional transition rule:

Q

:a,7

pI.

[I '

r.X'+

b.I"]

[I'

₌

a,.X"

+b.X")

[x,,=

6.r][r"'

-

u.x")

rlt _=de.f7 r.-r

_{[-I/ - {///]}

<P _=ae.f?- _€)_[X/'/

=

I]

f

:tte.f _[e](b)tt

ancl 1 €

_{o,4}

in Table 2

E,#E';,i€I

_{' ''}

_"

=

' .-

lirr all

Er?E'

[v](r

){!i^lY}

+

P'

F

I't1Ei.iel

E t-+

ll'

(I

e r/orn(f ))

(15)

4.2 Proving

Fault-Tolerance

Any transition w'hich is possible in the abseuce of faults ( ----+ ₎is also possible in

their presence (

r;+

_).But in a fault-nronotonic versiou of the logic, transit'ions

rvhich are onlg possible in the presence of faults require specia.l attention as t,liey must be tolerated lvherr they occ.ur but, like faults, they catttrot be reliecl upon

to occur. The first step torvards t,his is to retnove negation frorn the logic.

Ite

::=tt

_I

ff

I

Z I

V,rtF.

I

Aierre

| (6).nr | [a]l7e

V

::=

_{lZ' Felllz'}

Fe)Y

F

:::lr

I

fJ' lvZ.Y

I

pZ.Y I

V,.rf'

I

Arerf'

|

(a)r

|

[a]r

'Ihe next step is to removethe symrnetry between modalities,so that (cr),|/ is

verifiecl accorciing to the transitions ----+ _{and [cr]fl}according

to

_;+;the

latter rvill ensure that such transitions are tolerated and the forurer that they are uot'

reliecl upon. Given

f.

the senrautics is belorv (Q

_llv

F

iff Q €

[f]).

[tt]5 =a,1

P

[f

f\t

=a,t

a

[zno -a"1 6(2)

[Ai.r

4no =a".r f-lie

r[4nr

[pZ'v\a:a,J

){5'

]

[V]r'

c

6'](Z)

[!;.7

F.no _=a'.r_Ure

r[Fi],'.

^[uZ'Yl6:a".r U{6'

| 6/

c

[Vn6'](Z)

(3)

[(a)f],

:a".1

_{Pl}r,,,P

4

P'

r\t

₌6 A _{P' e [Fnr]}

[ta]r'I,

:a".1 _{PlYp,.(P

_#

P'

AT:6)

+

P'e

_fiflno]

,Lhis treatutent of modalities colrespouds

to

the rvay the refittetrtt'ttt

1tt't'-orcler of \{oclal Process Logic _{[16] receivecl}its nioclal _{characterisation Il-1].'fhe}

rnot,ivatiol there is cliffelent: ----+ a,re transitions of the specification that the

irnpieruentatiou tllust perfornl. and

r;+

are transitions that lllay ol'tlla1'tlot be

performe<I. (N,IPL ancl fault-tolerance are discussed again in Section 6).

Fault-Tolerallce

for Lirnited

Resources

A realist,ic analysis of the tirr.ring properties of a syst'em must take int'o accouttt

the linritatiotrs of the underlying hardware. This is even rnore Ireedecl

if

har<l-ware fa.ilures are

to

be toleratecl. Fault-tolerance recluires

reduudancy

acldi-tional components (hardrvare redundancy), instructions (soft'rvare redundancy)

or executions (tirne reclundancy) and leduudancy requires resollrces and time.

R,esources r-nust be assigned rvhen a fault occurs (e.g. for roliback recovery') aucl

also to enable run-time recovery, e.g. for perioclic checkpointing and for votiug

on t,lie orrtcottte of N-moclular exec-utiotrs.

We shall no*'combine consicleration of lesource iimitat,ions aird faults ancl sho*' ho'w tht' tirning properties of fault-tolerant aucl resourcc*litt-tited s1''st'erlrs

can be analysecl. A nrajor issue, like before, is the allocation of tasks to resources. But now n'e shall use clynamic allocation accortling to the urgeucy of tasks ancl ai.'ailabilitv of resources.

(16)

5.1 Proving

Fault-Tolerance

for

Bounded Resources

As befolc, let a s1'stem consist of a nurnber of tasks. Ttrsl;,s. sotue of theln _lterioclic

alrl

others spora.clic, each rvith its oil'n titner, executed on a cetrtra.lizecl set ol

resources, Resonrces, including plocessors and protected shared objects. Let a

sclrecluler, Scheduler, ntap tasks into resources in a lvay

tliat

ellstll'es

tliat

the

tiniing constraints Tinting are tnet clespite harclrvare failures

Vrrror,rr"r-( Tc sk _{s l.Re.so}rn' ce sl'9 c h e d'u /er ₎

\/,

_lF*,.

".,

",...

T i m i n q

Tinirtg

nta)'contain

a

nuntber

of

lecluiremetits

but

rvitlr lirritecl cotttprrtitrg

r.esources ancl w'ith llo assurnptions about horv often sPoladic ta.sks at'rive, t<r

satisfy tlrern ntay'llot be possible. But Timittg cottttritis uo uegatiotr (to eustrrer

fault-nolotonicity) and thus cannot e-\pless inrplication. This basic problellr

results frortr

tlie

ua.ture

of

verifying the timing propelties of resoulce-ltouutl systems in t.he preseltce of faults. We shall assullte thtr.t resortt'ces, ,flesottlces,

al.e rlot shart'd rvith ta.sks lvhich are part of the environtt"teut.. Therefolc the

inter-arrival

tilie

ol tlie sporadic tasks (perhaps iuvoked by these euvirottnreut tasks)

*,ill

never cleperrd on fzrilures of these resources. 'fhe solutiolt is

thel

to first

verifl' assurnptions

in

the absence of fa.ults

(l)

and

if

they liolcl tlien to also

velify' tlansactions in the presence of anticipated faults (|Fs,.""",..").

(TasA's|-Resou'cesl,|cheduler)

_{\tr l'4sstnnptiotts}

thetr

( Tns l.s _IRe.so rn' ce sl,S c hedzle r ₎_\.r.Fv,.. " ", "" " T

r t n s u r:l i ott s

5,2

Dynamic

Best-Effort

Scheduling

In or.cler to nrake decisions after the occurrence of a fa,ult. a scheclulet' tttttst ltavt: irrformation about the resources available at

that

tirtte. I"ol exattrple, collsidet'

a fail-stop assumptiou _[25]and the actions crashT, aucl repairedp b1' rvhich a

sclreduler. is inforlted of the status of Proctssorp, a.ssrttttitrg that rellair takes time re pntirl:

V.f _ntt-rto11

:dt.t

r,.,

([f

(t)

t

f uitr,.e(repairt).]']

[y

'i:l:paire.d6.

Ii ir"lt(,r).f

U)])

Let the furiction g

I

_ll,pro]

_{- {I, T}}

for

k €

fl,pro)

return

T if

Proc:essor1, is operative ancl

I

otherwise (initially _so(k)

_{= T).}

Then iu orcler to

uou-pre-eltpt,ively schedule inciependent tasks

in

the preseuce of faults. n'e have the schcclulel _{tr,\(.f0, So).[X(/,}S)

₌

'"]

where

-I(/.s)

₌

I1101=.,_ req;.X(f lT li), s)+

Lrr o.r(i,.f ),rk /r rt q(.f I A s( kr=r

pr 1r' ( i _)'-r( _f_lk_{I il'}g ₎₊

Is1r'y=rnr,g ,,!t1.v1 f ailk

'-r(/' y[r/r'])+

Do1* y=tnou,,,s1.v v f (1il r' X (

flL

I'f

-'

( A )]'

.l[r/k]

)+

futur=r

re YttLir'7,'f

(f'

g[f/]])

(17)

Another consequence of the preseuce of fa.ults is that the static allocation of pliorities t,o tasks is then usually ineffective. Consicler the n'ell-knorvu earliest-dearlline-first (EDF)policy: t,l're closer the task's cleadlint, the _{higlier its lrliority.}

This policy is easy'

to

implement for tasks rvit,lt incliviclual deacllines. Let

r/

: [1, spo*per] ---- R1 clenote such deacllines and for all i such that

/(i) I I

(i.e . for all invokecl tasks) let ll(r) return the time that, TasA; has beeu irrvokecl; initially

h0(i)

₌

0. \\re introduce a nery prefix operator ctOl.Pe to t'epresetrt the clelay

before the action c is offered a.ncl assurning {,hat Pe c.ontaius the tirne variabie

t,

rve have the rules

[email protected]

feTOlt) and a@1.

I'c'tdl

[email protected]

+

dltl

_126).

Finalll', let the preclicate rrr.in(i, _f

_,h,t)

hold if anrong the susl>eticlt:rl tasks, 7'n.sfri is the closest to violating its tleadline: nztin(zi, _f

,h,t)

_=a,.r

f(i) -

T

n

(/("r)

:

T +

r1(i)

+

A(t)

_{- t <}

d(j) +

A(j)

_-

l).

Then EDIr carr be implenrentecl by'

/rI(/b,

go, ho,[)).[f (/, g,

h,t)'

. . .] _n'here

X (f _,s,/r,

l)'

_I.rrol=,-_{reqi(01.-r-(/[I l}

i],s,

hlt

_{l il,t)+}

I/101g1t,t1 re/,:@l'I(/[ L I i]' s' h'

t)-l

Lu,,,1,..s,o,r1nkt..rns( ! )ns(r,t=r

z'lr

(i)'at 'X ( 'f lk li)' g ' lt '

t)I

Ig1u v=. n n g,," 1r1 1 1 f ail x

@l'I("f'

clL / k), lt, t )+

Irlu

;=.n0.,,,s1 1 y

f

ailk@t' x (

flL

/ f -

r

( k _)l'

s[I/]1,

h' l ₎₊

Ir1^.1=r [email protected] (f

' g[T /k]. h ' t)

The UDF policy is optinra.l for indepenclent tasks on a, single fault-free

1;ro-cessol a.ucl a besl eft'ort policy in general _[23].

5.3 Dynamic

Planning-Based Scheduling

A

planning-ltn.serl schecluler, in coutra.st, will onll'schedule a task if its cleacllines

can be guaranteecl. Let each task request a processol by'sencling an upper botrncl

bou.nd(r) on t,lie nurnber of basic machine cycles to cor.rrplet,e a.n invoca.tion

(r

is a pararneter) and let acceptance and rejection oftasks be representecl

b1'thc-actions occi and rejr respectively. Tl.ren for sporadic tasks we have:

Taski _-4"7

gI.

(licA1 O C)

[I'

fnl(r). reqi$ound(r)).(acc1.]-(.r)

*

rej;.I)]

lZ(r)'

reto.oul(z).X)

A

planning-based scheduler

will

maintain a schecluie of all tasks

that

rvill

guarantee their timely cornpletion provided no processors fail in the meanrvhile.

Tlre sclieclule is represettted by the function h : [1 .pro]

-

fl,per

]

s,po]* rvhich

returns t,he sequence of t,a.sks that are scheduled to be executed otr each processor'

(l (ft)o is ctrrrently executetl on Processor'1, alld initially lo(lr)

:

e _).In aclclition.

n'e apply b

: ll,pet'+

spo)

-

,'\r to retuln the upper bouticl on tlie tiuurber of

nrachine cvcles for t,Irt' curreut iuvocation of each active task (initialll'De(i)

₌

0).

liach tirne a task cornpletes. the next task is t,ahen for execution aud u-hert a nerv t,a.sk arrives, tlie schc<lulel w'ill

try

to accorrrnrodate its executiou in the

existing schechrle. 'I'his is clorre by'looking fol atr operative Pi'ocr.s.sor';. u'hiclt is

(18)

fa.st euough to guarantee the additional task's deadline (c is the uulrber of cy'cles

ancl strrn returtrs the srttn of

all

rrurt-rbels

in

tlte seclrieuce): _/sl(r.

k,h.c)

=a"1

(sunr(h(*))*c)*speedl _{S d(t).The}task is acceptecl

rf

such a processor exists. hi

case a processor fa.ils, the schedulel lvill try to relocate all its t.asks {br execution

on other operative processors. This, horvever, may not alrvaJ-s succecd and the sclie<luler then t'r'rters a degracle<l nrocle of operation in rvhich tasks n'hich cauuot be accornnroclated rvill be dropperl from t.he execution. Each tinre tliis happens. tlrc a.ctiorr A;g;nAi is perforrttecl, auuottuciug the nurubel of the task.

I("/,9,/,.b)

t

_{I11ny=_,}

reql(c).I1(/,g,h.b.c,i)l

Iylo

1s1

t.t1

rel;' X 2(

flL

I i)' u' I tUr (.f (i))' I f

()l'

6' /( ; ) )+

Ioluy=.

f

uilp'X3(f

_'slLlk)'

l'

ll'

r)+

Iu1o1=t

lcTrazr'1'-I(/,glf

_Ik),lt'b)

,\' I ( /. y. lt. b., . i)

=

_I-rrr

_)-r+

_{../ -r(i.a .n.,.t}ru

_i,.'\'

( _[.g. h. l,Ja

Ie1,t)=r'n1"r(i,Ar,h.c) ilrci'X2(f lT li)' s' hlh(k)

:

ilkl'blcli)'

k)

Xz(1,s, h, b. A,)

_{" if}

h(k)

₌

s V _/(lr(ft)o)

_I

T

lAe rr _-Y(/._{lt,h,b) elst}_{Ttrtp(h(k)o).r(/[A/lr(,t)6].}s. lr, b) X:1.f _,g,h,b,,()

_{' if}

h(k)

₌

e then

I(/,g,

h,b) else X+(f ,9, lr.lr.l'. ft(fr)o)

X+(f ,g,/t, b, A, i)

i

_{I,rrt=rn.lsr(i,r.h,i(r:))}

x'zU,u,hb(k)'lk,h(l) :

illl'b'l)+

Ir1,

_1=t*-.f s r(i,t. h.i,( i) ) de g r nde (i )' X :)(

/'

9' h [/r ( f' )' / k)' b' k)

xL(.f, g,h,b, k)

_"

iJ

h(kJ

:

€ v f(h(k)o)

*

T

llrerr -\3( /, S. h, b) e I se 1n't 1,(h (k)0 ).f3(./[A'/ir ( _{t' )6]. a. /r.}6)

,\s n.e can see. the planrring-basccl policl'al;ove u'ill only provirlc guaratrtt't's

il no failure occllls aftel tasks ale allocat,t'cl but n-ill otlteru'ise degladt'glaccftrlll''

if

some tasks cannot be accornmoclat,eci. tlncler sufficientll' stlorlg ;tssuttrptions

it

rr-ray be possible to plovicle guarantees in the presetrce of atil' farrlts, but the issues of feasibility (assurnptions) ancl utilization (r'esoulces)

tnal

trtalie such a

solrrtion impractical. The graceful ciegradation. ltonever', rvill make

it

possible to share the loacl a.rnoirg the different nodes of a. clistriltut,ecl systettt. ancl to relocate

the tasks for u'liich the deacllines cannot be guaranteed. We havc alreacly shorvu

horv to schedule netu'ork traffic to consicler the urgency' of nressages. A sirnilar

replication of objects and tasks can also be usecl to ensure resiliencl' to uocle aucl

memory failures. Thc issue is then to ensure t,hat tlie replicas are consisteut.

6 Conclusions

To analyse the timing properties cif a distributecl sy'steur, it is essential to cousidcr

the iimit:rtionsof the resources of the. syst,em artrl the wa\'fesourc(.s at'e a.llocatecl

to tasks.'fhe existing forrnal tcchniclues ale eillrel based on the nt:r-xitttal

pat'-a.llelism assrrnrption

or

provicle verl' basic Ineans

ol

resolving conrpetition for

rcsourcesj bv sttrtically assigning priorities to actious.

lf.

in aclclitiou. lrarclrvare

fa.ilures ale

to

be consiclerecl. then to staticallv detertuiue the task executiott

orclel

is

rrsualll.inappropriate.

In

this paper. rve have shou'u horv

llie

sirrtple

(19)

framework of Timecl CCS can be used for a geueral n-rodel fot' resource-basecl executiols. We have also clemonstratecl the use of different techniques for t'ask

schecluling

-

non-pre-en'rptivt-' and pre-emptive, static ancl clynan'ric, best-effot't

and planning-basecl arrcl show'ecl ho'rv to handle priority'inversiou ancl to

schecl-ule network tra{fic.

Since faults are unplediclable, reasoning about fault-tolera,nce tnust, be

fault-rnonotonic: after proving correctness for a nttmber of faults. correcttress for sotrie

of

thep

must be guaranteecl. Nlost te<:hniques for provable fault'-tolerance al'e

based o1 a sy'nt,actic replcsentation of faults. Using modal p-calculi a.ncl the

acl-ditiolal

trapsitions t,o moclel the effects of faults, we have cletnonstratecl that t'his

colnlrioll technique rvill not ensule fault-n'ronotonicity. The first step in a solrttiotr

is to clea.rly separat,e design clecisions an<i envirotrmeut assutt-tptions atr<l this rvas

done by provicliug the explicit fault-affected semautics of the process languagtr. '.fhe semantics is usecl in the second step, n'here the logic is refined into its

fault-monotorric versiou using the timecl ancl moclal exteusiotts of the ]lennessy-XIilner'

logic. The logic can verifl' fault-t,olerance an<l lve have deuroustratecl

tliat

it can

be usecl to specify sin-rple trarrsactious.

Our work has been based on the timed extetrsion of CICS, Timed _{CCIS [26],}

and this rl'as chosen as the sirnplest fi'anrework to suit our purposes. TCCS has

beerr

furtliel

extendecl to allorv loose specificatious, in Tinred Nloclal

Specifica-tions [7] rvhich follon'\Ioclal Process Logic _[16].

It

is possible to rrse N,IPL to

specify ancl ver.ify _{fault-tolerance [4].}N,IPL and

its

refinetnetrt orclt'r'ing u'oulcl

also pern'rit ferver faults tharr tlie maximun.t to occur. apply'ing adrnissible

tran-sitiols

t,o sltecify tlietn.

flut

n'ithout separtrtiug design constt'aitrts (tlansitions

11-hich are admissible but unnecessary) and ertrriLotttttettt assutlrptions

(tl'arlsi-t,iols

rv|ic|

rnodel faults), N'IPL ca.nnot, rvit,hout risking lealizability problerns

[], 2], support refinement t,on'ards an inclea.sing ttumber of faults. As tieu'clesign

clecisions are rnacle ancl tlie neeci for ne'iv ha.rdrvare or the higher reliabilitJ'arisc,

it

rnay be necessary' to tolerate nerv faults that coulcl uot have been a.nticipatecl

earlier. For untimecl s1'sterns ancl unlirnited resources, this rvas desct'ibecl in [12]:

for tirnecl syster-r'rs ancl limitecl resources. this

will

be subject of a colttpatriotr

I)aper. The idea is

to

provide two u.ays of refiuement

to

take accoutit of' au

increasing number of anticipated faults: the rich-man's refineuent' proceecls to

tolerate ail anticipated faults,'cleating'new resources rvhenever neecled to

sat-isfy dea,cllines; the poor-man's refinement proc.eeds until the level of redundancy

required exceeds u,hat is available iu the set of resources.

References

t. N{. Ahadi a.ncl L. Lanrport. (lomposing spe<:ifications. --1 (.1 .\[ Tran,sar:t.iorts ort Pto-gramnilr.g [,crngtrrtgcs cnrcl ,Systetns, 15(1):73 132, 1993.

N'|. Abacli, L. Lanrport. ancl P- \\iolper. Rea.lizable anrl unrealizable specificatiols of rea<:tive systclns. Lir'C,J. 372:1-l7. 1989.

3. A.A. Rertossi ancl L.\;. N{ancini. Scheduling algorit,hms for fault-tolerzrn<:e iIr

ltarcl-rr:irl-tinre s-vstems. Rtul-Tine ,9gstetns. T(31229 24i-r' 1994.

(20)

.1. _A._Borjessorr,Ii.Cl. l,arsen, ancl A. Skou. Generalitv in clesign and compositional

verification usiug TA\,'. Forntal x[ethods in.5y.sttrn Drsiqn.6(3):23!t-258, 19!)5. 5. A. Burls au(l A. Wellings. A computational model for fixed priorit-v scheduling.

In N{. Joseph, r:ditor, Real-Titne ,9ystems: ,9pecification, \|erificot.ion uttl Analysis.

Prent,icc-Hall. 1 9[)5.

6. J. (ia.nrilleri ancl (i. \\'inskcl. C.l(lS rvith prioritl' choice. In.f ortnation artcl (.lorrtPtL-t crti ort. 176:2(i--37. 1 995.

7. [i. Cerans. J.C]. Cioclskesen, ancl Ii.Ci. Larsen. 'l'irnecl mo(lal specificat,ions. lt\-(1,5, 715 253 267,1993.

8. R. ('leravelancl ancl t\'1. IIenness.y. Priorities iu proce,'ss algebras. lnfotntatiort artrl. Corttptttcrtiott, 8T:58 77. 1990.

!). It. Gerber alcl I. l,ee. A resourcc-basecl prioritized bisirnulation for real-tittte

s1's-tcrrrs. 1n/orrrt ati.ort attd (lotn'lttt'lr.ttion, l lil:102 l'12. 1994.

1iJ. J.(j. (loclskesen et a.l. Ep.si,lon - User's ]t[a.n.uol. I)epartrnent of Nlathenratics ancl (.lourputer Scieuce. Ilniversity of Aalborg' 19!]3.

I 1. l,I. Ilennessr, ancl T. Regan. i\ process alge bra for tirned s)'stems. Technical t t:Port.

llniversitv of Sussex. l!191.

12. 'f . Janorvski. Bisimrrlrftion and Fa.ult-Tolercmce. PhD thesis, l)epartment of

('orn-puter Science, ITniversit)' of \\Iarrvick, 1995.

1:1. li. Larsen. Proof s)'stenls for Hennr:ssr'-N'Iilner logic rvitli recrtrsion. l.\ C:'5,

299:21it 230, 1988.

14. Ii. Larsen. NIodal specifications. LN(:'9,407. 1990.

15. K.(i. Larscu. Conte.r:t-DeperuJenl. Bi.simulution Betu:een Pt'occsse's. PlrD thesis.

Ilniversit-v of Edinburgh. Scotlancl, 1986.

16. Ii.Ci. Larsen alcl B. Thornsen. A modal process logic. ln Proc:..'Jrrl .'lrtttttal

'Syrtt-posittrrt on [,ogic in. CotttPtrtt;r,5cienr:e, pagt:s 20i] 210, BB.

1?. X. Liu. ,9pecificatiort nncl I)t:corttltositiort irt (loncurrency. l'hf) thesis, I)t'parttttcnt

of N{athernatics ancl Clontputer Sciencc. I-lnivcrsit}' of Aalborg. 1992'

18. Z. Lil alci X{. Joseph. Transformat,ions of programs for fzmh-toletattt:t. Fortrtal Aspects o.f Contputirtg. 4:442 469, 1{)92.

l g. R. X{ilner. (lornntttniccrt.iott, ctnd (lon,crn'rettcy. Prentice-FIall International, 1.()89.

20. F. Nloller ancl cj. Tofts. A tenrporal calculus of cornm. s-vstems. lN("5, .158. 90. 21. J. Parrow. Subrnoclule constrnction as ecltation solr,ing in CCIS. Tl'tcorL-ticrtl

(lont-puter,9cie.rtce. 68:175 202, 89.

22. P. Pleinevaux. Real-tirne fault toicrant operation of the 802.5 token ring.

Renl-f ime,9yst.enrs,8:79 91, 1995.

23. I{. Ramamritharn. Dynamic priority sc}recluling. In M. Joseph, eclitor, Reol-Ti,nte ,gystcnts: SpeciJicatiort, lierif ctttion a.ncl Analysis. Prentice-Hall, 19!15'

24. A,. Salrvicki antl T. N{iildner. On the algorithniic properties of concrtrrent

pro-granrs. INCl,9. 125. 1981.

25. R.D. Schlichting ancl lf.B. Schneicler. Fail stop processors: An approzrch to

clesign-ing fault-tolera.ut compnting svsterns. A(tll Trans. on (iomP. _{'9ys'. 1(:1),}1983'

26. Warrg Yi. I Cirlcuftts o.f Real'I'ime ,gystetns. PhD thesis. Depa,rttnent of C)ompttter Scie:nce. Clhalnrers Liniversit]' of Ter:hnologr'. 199I

'l'his a.rtic'k,r!as l)t.oc(.sse(l rrsing tlre LNIi,{ rna.cro Packa.ge rvit}r LLN(lS stvle