Defects of the POSIX Sporadic Server and How to Correct Them
Transcript of Defects of the POSIX Sporadic Server and How to Correct Them
1
Defects of the POSIX Sporadic Server and How to Correct Them
Mark StanovichTheodore Baker
An-I WangFlorida State University, USA
Michael González
HarbourUniversidad de Cantabria, Spain
2
Overview
•
POSIX specification broken–
Budget amplification (accounting error)•
Interference can grow over time
–
Premature replenishment•
Invalidates sliding window budget constraint
–
Incomplete temporal isolation•
No way to limit low priority execution
3
Motivation•
Sporadic server (SS) is well known1
•
Many uses–
Bounds interference for other tasks
–
Service device drivers–
Composable
systems
•
Only POSIX policy that limits CPU time•
Alternatives (CBS, TBS, …)–
Not for fixed-priority systems
1
Sprunt, Sha, and Lehoczky. Aperiodic
task scheduling for hard real-time systems.
4
Sporadic Server
•
Used to service aperiodic
jobs in fixed-priority task scheduling
•
Interference like a periodic task–
Period = replenishment period
–
Execution time = initial budget•
Average response time < polling server
•
Interference < deferrable server
5
Replenishment Policy
replenishment period
replenishment
initial budget
time
activation time(work available for server)
6
Bandwidth Preservation
replenishment periodreplenishment
initial budget
time
activation time(work available for server)
7
SCHED_SPORADIC
•
POSIX variant–
Conceptually similar to Sprunt
SS
•
Differences–
Allows overruns
Max execution ≤
available budget + clock resolution–
Maximum number of pending replenishments
–
Background priority
8
Differences Break Model
•
Budget amplification•
Premature replenishment
•
Incomplete temporal isolation
9
Budget Amplification
•
Accounting error–
Overruns not alwayscharged to the server
•
Max execution ≤
server budget + clock res.•
“if the available execution capacity would become negative...it shall be set to zero”
10
Budget Amplification
Is this a problem in real systems?
12
Budget Amplification Experiment
•
Linux sporadic server implementation–
Replenishment period = 10 msec
–
Budget = 1 msec•
Budget breaks into 2-8 chunks
13
14
How likely is this?
•
Simulate large number of cases•
Exponential workload distribution–
Mean job execution time = 10
–
Various mean interarrival
times•
Server–
Replenishment period = 120
–
Budget = 40•
Job overruns = 1 time unit
•
Maximum utilization = 34%120
140
15
16
Solutions
•
Just allow negative available capacity?–
But overruns can still occur every period
•
Our solution–
Think of overrun as time received early
–
Charge against future replenishments
17
18
Premature Replenishment
•
Illegal merging of chunks–
Violates minimum offset
•
Exceeds sliding window budget constraint
•
Single activation timeis oversimplification
19
Premature Replenishment
20
Premature Replenishment Simulation Experiment
•
Two tasks–
Sporadic server
•
Replenishment period = 100•
Budget = 42
–
Higher priority periodic task•
Period = 141
•
Execution time specified by x-axis
•
Intuition–
Longer preemption period can trigger illegal merging of time chunks
21
22
Is this likely?
•
Difficult to demonstrate on random arrivals and execution times
•
Effect does not occur often enough to be measured on a macroscopic scale
•
This anomaly would probably be only a concern in a hard real-time environment
23
Solutions
•
Maintain all replenishments separately?–
Unbounded fragmentation
•
Merging chunks essential–
Limits fragmentation
•
Must not merge illegally–
Preserve additional activation times
24
Premature Replenishment
25
26
Lessons Learned
•
Transforming a theoretical algorithm into an implementation is not trivial
•
Practical considerations–
Overruns
–
Maximum number of replenishments–
…
27
Lessons Learned
•
Implementation deviation from theoretical model invalidates schedulabilty
analysis
•
Analysis must be extended to match implementable reality
•
Implementation must be analyzable
28
Conclusion
•
POSIX formulation of SS broken•
Provided possible corrections
•
Need a standard scheduling policy that enforces time budgets
•
API for SCHED_SPORADIC with correct semantics can serve the purpose
Thank You!
Questions?
30
Defect #3: Incomplete Temporal Isolation
•
With temporal isolation a failure in one task does not prevent others from meeting their timing constraints
•
Problem: Execution at low priority–
Still preempts non-”real-time”
work
31
Unreliable Temporal Isolation
SCHED_FIFOSCHED_RR
SCHED_SPORADIC
SCHED_OTHER
Highest Priority
Lowest Priority
32
Unreliable Temporal Isolation
•
No upper bound on execution time consumed by SCHED_SPORADIC task
•
Even though SCHED_OTHER tasks are not RT, should allow a mechanism to isolate from overruns of SCHED_SPORADIC threads
33
Unreliable Temporal Isolation
•
Some remedies–
Background execution of SCHED_SPORADIC
–
Only use idle time–
Interleave with non-real-time priorities
–
Never execute at background priority•
Utilize numeric priority to specify functionality
34
SolutionHighest Priority
Lowest Priority
Idle
No execute
SCHED_OTHER
SC
HE
D_S
PO
RA
DIC
(background priority)SCHED_FIFOSCHED_RR
SCHED_SPORADIC (high priority)
Sprunt
Defect
36
Overview
•
Aperiodic
Tasks–
Arrivals and executions are generally considered random
–
No bound on the CPU runtime–
Typically scheduled with a server thread to bound CPU consumption and ease analysis
37
Aperiodic
Server•
Given a budget which it consumes while executing aperiodic
jobs
•
Budget is replenished according to the server's rules
•
Typically the server's impact is analyzed by some equivalent periodic task
•
Examples of fixed-priority servers–
Polling Server
–
Deferrable Server–
Sporadic Server
38
Polling Server
server budget
Ts
time
replenishment
job arrival
Server activations every period (Ts
)
ti+1
– ti
= Ts
39
Primitive Sporadic Server
server budget
Ts
time
replenishment
job arrival
Server activations lower bounded by the period (Ts
)
ti+1
– ti
≥
Ts
40
Sporadic Server
•
Parameters–
Execution budget (Cs
)–
Replenishment period (Ts
)–
Server priority
•
Replenishments performed in chunks–
Used execution time is replenished Ts
in the future from the server activation
41
POSIX•
Portable Operating System Interface [for uniX]
•
Standard that defines a set of services that an operating system provides to an application
•
Eases portability of applications from one platform to another
•
Widely implemented–
Linux–
Mac OS X–
OpenBSD–
FreeBSD–
…•
Some interfaces are optional (e.g. SCHED_SPORADIC)
42
Budget Amplification•
Occurs during overload when all budget is continuously consumed
•
With small enough fragments, a server can achieve an execution capacity arbitrarily close to 100%
•
POSIX only limits the available execution capacity to the initial budget
•
Overruns can happen–
Control of execution on the processor cannot be assumed to be perfect
–
If overruns do occur, then some fairness mechanism should be used
43
SCHED_SPORADIC
sched_ss_repl_period
time
replenishments
activationtime
replenishments pending limited to sched_ss_repl_max
Current budget limited to sched_ss_init_budget
sched_ss_init_budget
44
Evaluation
•
Linux implementation•
Also, simulator–
Allows reduction of “noise”
from
implementation•
Demonstrate effects and effectiveness of proposed solutions–
Budget amplification
–
Premature replenishment
45
Effects of Budget Amplification
•
Experiment does not reach 100% CPU utilization due to replenishments overlapping and therefore merged
•
Merging two chunks that exceed the initial budget must be rounded down to the initial budget
•
While there is a bound it still exceeds the load of an equivalent periodic task