Skip to main content
Log in

Priority-based concurrency and shared resource access mechanisms for nested intercomponent requests in CAmkES

  • Published:
Real-Time Systems Aims and scope Submit manuscript

Abstract

Component-based design encapsulates and isolates state and the operations on it, but timing semantics cross-cut these boundaries when a real-time task’s control flow spans multiple components. Under priority-based scheduling, inter-component control flow should be coupled with priority information, so that task execution can be prioritized appropriately end-to-end. However, the CAmkES component architecture for the seL4 microkernel does not adequately support priority propagation across intercomponent requests: component interfaces are bound to threads that execute at fixed priorities provided at compile-time in the component specification. In this paper, we present a new library for CAmkES with a thread model that supports (1) multiple concurrent requests to the same component endpoint; (2) propagation and enforcement of priority metadata, such that those requests are appropriately prioritized; (3) implementations of Non-Preemptive Critical Sections, the Immediate Priority Ceiling Protocol, and the Priority Inheritance Protocol for components encapsulating critical sections of exclusive access to a shared resource; and (4) extensions of these mechanisms to support nested lock acquisition. We measure overheads and blocking times for these new features, use existing theory to discuss schedulability analysis, and present a new hyperbolic bound for rate-monotonic scheduling of tasks with blocking times that allows tasks to be assigned non-unique priorities. Evaluations on both Intel x86 and ARM platforms demonstrate that our library allows CAmkES to provide suitable end-to-end timing for real-time systems.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. Available from https://www.sudvarg.com/priority-aware-camkes

  2. Our system model does not allow an originating component to specify any CPIs since it is by definition the root of all request chains emanating from it.

  3. Another version of this is also possible, where a request is sent asynchronously to an event interface, in which case no reply is necessary, and control need not return to the requesting active component or CPI. We defer consideration of this alternative to future work.

  4. We did not enable MCS features when building the kernel. Budget depletion during execution in a CPI encapsulating nonreentrant critical sections can starve higher-priority requests, as noted in Jero et al. (2021). Further, the seL4 sporadic server implementation induces budget fragmentation even when threads are preempted by others of higher priority (Lyons et al., 2018); the standard sporadic server should only schedule a replenishment when a thread voluntarily yields the processor (Sprunt, 1990; Stanovich et al., 2010).

  5. In CAmkES, procedure interfaces are declared similarly to C-style functions: they may include one or more parameters, which specify the set of arguments that must be passed as part of the IPC message data.

  6. The insert order increments with every insertion into the priority queue. It is is implemented as a 64-bit unsigned integer to avoid overflow.

  7. For example, two components might each have two CPIs, one which sends a request to the other component, and one which receives a request from the other component. Despite the digraph of requests forming a cycle between the two components, each request path involves a distinct set of CPIs, and therefore cannot deadlock.

  8. The processor supports a CPU clock speed of 1.4 GHz. However, as noted in Blass et al. (2021), this frequency cannot be sustained continuously, and may lead to throttling and instability. To maintain predictability, we boot the Raspberry Pi with a constant 700 MHz CPU clock speed, set the GPU processor core to 250 MHz, and disable throttling. Details can be found at https://www.raspberrypi.com/documentation/computers/config_txt.html

  9. https://docs.sel4.systems/Hardware/Rpi3.html

  10. We set the CONFIG_TIMER_TICK_MS kernel configuration parameter to 1,000,000 (1000 s), sufficiently long to ensure appropriate behavior in our tests.

  11. An alternative to UUniSort, the UUniFast algorithm, runs in linear time, where UUniSort is quasilinear. However, the elegance and simplicity of UUniSort, combined with our small input sizes, make it ideal for our offline synthetic task set generation.

  12. Restricting to a set of harmonic harmonic periods, instead of generating task periods according to the log-uniform distribution described in Emberson et al. (2010), allows trials with repeated hyperperiods to be performed efficiently.

References

  • AUTOSAR Classic Platform. https://www.autosar.org/standards/classic-platform/. Accessed 25 Jan 2022

  • Baker TP (1991) Stack-based scheduling for realtime processes. Real-Time Syst 3(1):67–99

    Article  MathSciNet  Google Scholar 

  • Blackham B, Shi Y, Chattopadhyay S, Roychoudhury A, Heiser G. (2011) Timing analysis of a protected operating system kernel. In: 2011 IEEE 32nd Real-Time Systems Symposium, pp. 339–348. https://doi.org/10.1109/RTSS.2011.38

  • Blass T, Hamann A, Lange R, Ziegenbein D, Brandenburg BB (2021) Automatic latency management for ros 2: Benefits, challenges, and open problems. In: 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS), pp. 264–277. https://doi.org/10.1109/RTAS52030.2021.00029

  • Bini E, Buttazzo GC (2005) Measuring the performance of schedulability tests. Real-Time Syst 30(1–2):129–154

    Article  Google Scholar 

  • Bini E, Buttazzo GC, Buttazzo GM (2003) Rate monotonic analysis: the hyperbolic bound. IEEE Trans Comput 52(7):933–942. https://doi.org/10.1109/TC.2003.1214341

    Article  Google Scholar 

  • Buttazzo GC (2011) Hard Real-Time Computing Systems, 3rd edn., pp. 205–248. Springer, New York. Chap. 7

  • CAmkES Manual. https://docs.sel4.systems/projects/camkes/manual.html. Accessed 23 Jan 2022

  • CORBA Component Model (version 3.0). https://www.omg.org/spec/CCM/3.0. OMG Document formal/02-06-65. Accessed 24 May 2001

  • Elphinstone K, Heiser G (2013) From l3 to sel4 what have we learnt in 20 years of l4 microkernels? In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles. SOSP ’13, pp. 133–150. Association for Computing Machinery, New York, NY, USA

  • Emberson P, Stafford R, Davis RI (2010) Techniques for the synthesis of multiprocessor tasksets. In: WATERS Workshop at the Euromicro Conference on Real-Time Systems, pp. 6–11

  • Ford B, Lepreau J (1994) Evolving mach 3.0 to a migrating thread model. In: USENIX Winter 1994 Technical Conference (USENIX Winter 1994 Technical Conference). USENIX Association, San Francisco, CA

  • Jero S, Furgala J, Pan R, et al. (2021) Practical principle of least privilege for secure embedded systems. In: 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS), 1–13. https://doi.org/10.1109/RTAS52030.2021.00009

  • Jinja. https://jinja.palletsprojects.com/. Accessed 23 Jan 2022

  • Klein G, Elphinstone K, Heiser G, et al. (2009) Sel4: Formal verification of an os kernel. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. SOSP ’09, pp. 207–220. Association for Computing Machinery, New York, NY, USA

  • Klein G, Andronick J, Elphinstone K et al (2014) Comprehensive formal verification of an os microkernel. ACM Trans Comput Syst 32(1):1–70

    Article  Google Scholar 

  • Kluge F, Yu C, Mische J, Uhrig S, Ungerer T (2009) Implementing autosar scheduling and resource management on an embedded smt processor. In: Proceedings of Th 12th International Workshop on Software and Compilers for Embedded Systems. SCOPES ’09, pp. 33–42. Association for Computing Machinery, New York, NY, USA

  • Kuz I, Liu Y, Gorton I, Heiser G (2007) Camkes: a component model for secure microkernel-based embedded systems. J Syst Softw 80(5):687–699. https://doi.org/10.1016/j.jss.2006.08.039.Elsevier

    Article  Google Scholar 

  • Liedtke J (1993) Improving ipc by kernel design. SIGOPS Oper Syst Rev 27(5):175–188

    Article  Google Scholar 

  • Lipari G, Lamastra G, Abeni L (2004) Task synchronization in reservation-based real-time systems. IEEE Trans Comput 53(12):1591–1601. https://doi.org/10.1109/TC.2004.120

    Article  Google Scholar 

  • Liu CL, Layland JW (1973) Scheduling algorithms for multiprogramming in a hard-real-time environment. J ACM 20(1):46–61

    Article  MathSciNet  Google Scholar 

  • Lyons A, McLeod K, Almatary H, Heiser G (2018) Scheduling-context capabilities: a principled, light-weight operating-system mechanism for managing time. In: ACM EuroSys Conference, pp. 1–16. https://doi.org/10.1145/3190508.3190539

  • Mergendahl S, Jero S, Ward BC, Furgala J, Parmer G, Skowyra R (2022) The thundering herd: Amplifying kernel interference to attack response times. In: 2022 IEEE 28th Real-Time and Embedded Technology and Applications Symposium (RTAS), 95–107. https://doi.org/10.1109/RTAS54340.2022.00016

  • McIlroy MD (1969) Mass-produced software components. Software Engineering: Report of a conference sponsored by the NATO Science Committee, Garmisch, Germany 7–11(1968):79–85

    Google Scholar 

  • Parmer G (2010) The case for thread migration: Predictable ipc in a customizable and reliable os. In: Proceedings of the Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), pp. 91–100

  • Sha L, Rajkumar R, Lehoczky JP (1990) Priority inheritance protocols: an approach to real-time synchronization. IEEE Trans Comput 39(9):1175–1185. https://doi.org/10.1109/12.57058

    Article  MathSciNet  Google Scholar 

  • Specification of Operating System. https://www.autosar.org/fileadmin/user_upload/standards/classic/21-11/AUTOSAR_SWS_OS.pdf. Classic Platform Standard Release R21-11. Accessed 25 Jan 2022

  • Subramonian V, Deng G, Gill C, Balasubramanian J, Shen L-J, Otte W, Schmidt D, Gokhale A, Wang N (2007) The design and performance of component middleware for qos-enabled deployment and configuration of dre systems. J Syst Softw 80(5):668–677

    Article  Google Scholar 

  • Subramonian V, Wang N, Shen L-J, Gill C (2004) The design and performance of configurable component middleware for distributed real-time and embedded systems. In: IEEE Real-Time Systems Symposium (RTSS) 252–261

  • Sudvarg M, Gill C (2022) A concurrency framework for priority-aware intercomponent requests in camkes on sel4. In: 2022 IEEE 28th International Conference on Embedded and Real-Time Computing Systems and Applications (RTCSA), 1–10. https://doi.org/10.1109/RTCSA55878.2022.00007

  • seL4 Benchmarks. https://sel4.systems/About/Performance/. Accessed 02 June 2023

  • Sprunt B. (1990) Aperiodic task scheduling for real-time systems. Technical report, Carnegie Mellon University

  • Stanovich M, Baker TP, Wang A-I, Harbour MG (2010) Defects of the posix sporadic server and how to correct them. In: 2010 16th IEEE Real-Time and Embedded Technology and Applications Symposium, pp. 35–45. https://doi.org/10.1109/RTAS.2010.34

  • Steinberg U, Wolter J, Hartig H (2005) Fast component interaction for real-time systems. In: 17th Euromicro Conference on Real-Time Systems (ECRTS’05), pp. 89–97. https://doi.org/10.1109/ECRTS.2005.16

  • Steinberg U, Böttcher A, Kauer B. (2010) Timeslice donation in component-based systems. In: Proceedings of the Workshop on Operating Systems Platforms for Embedded Real-Time Applications (OSPERT), pp. 16–23

  • Steinberg U, Kauer B (2010) Nova: A microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems. EuroSys ’10, pp. 209–222. Association for Computing Machinery, New York, NY, USA

  • The seL4 microkernel. https://docs.sel4.systems/projects/sel4/. Accessed 23 Jan 2022. https://doi.org/10.5281/zenodo.591727

  • Wang Q, Song J, Parmer G. (2011) Execution stack management for hard real-time computation in a component-based os. In: 2011 IEEE 32nd Real-Time Systems Symposium, pp. 78–89. https://doi.org/10.1109/RTSS.2011.15

Download references

Funding

Funding was supported by National Science Foundation [Grant Nos. CSR-1814739, CNS-17653503] and National Aeronautics and Space Administration [Grant No. 80NSSC21K1741].

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marion Sudvarg.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix A: Hyperbolic bound with blocking times

Appendix A: Hyperbolic bound with blocking times

The hyperbolic bound for rate-monotonic (RM) schedulability is given by Theorem 1 of Bini et al. (2003):

Theorem 1

Let \(\Gamma = \{\tau _1,\ldots ,\tau _n\}\) be a set of n periodic tasks, where each task \(\tau _i\) is characterized by a processor utilization \(U_i\). Then, \(\Gamma\) is schedulable with the RM algorithm if

$$\begin{aligned} \prod _{i=1}^n(U_i + 1) \le 2 \end{aligned}$$
(A1)

The proof of this theorem in Bini et al. (2003) assumes that tasks are ordered by increasing periods; while this does not lose generality in the case that all tasks are assigned unique priorities, we are interested in the case where some tasks may have equal periods, and are therefore assigned equal priorities. We begin by considering schedulability for each task.

Lemma 1.1

In the absence of blocking induced by shared resource constraints, for a set \(\Gamma\) of periodic tasks, ordered by strictly decreasing priority, a task \(\tau _i\) is schedulable under RM if

$$\begin{aligned} \prod _{j=1}^i(U_j + 1) \le 2 \end{aligned}$$
(A2)

Proof

By Theorem 1, the task system \(\Gamma _i = \{\tau _1,\ldots ,\tau _i\}\) is schedulable if

$$\begin{aligned} \prod _{j=1}^i(U_j + 1) \le 2 \end{aligned}$$
(A3)

This implies that task \(\tau _i\) is schedulable. The addition of tasks of lower priority, i.e. any task \(\tau _j\) for which \(j > i\), will not affect the schedulability of \(\tau _i\). Thus, Eq. A3 holds for all \(\tau _i \in \Gamma\). \(\square\)

Lemma 1.2

In the absence of blocking induced by shared resource constraints, for a set \(\Gamma\) of periodic tasks, a task \(\tau _i\) with priority \(P_i\) is schedulable under RM if

$$\begin{aligned} \prod _{\tau _j:P_j \ge P_i}(U_j + 1) \le 2 \end{aligned}$$
(A4)

Proof

For any \(\tau _i \in \Gamma\) for which \(\not \exists j: P_i = P_j, \text{ } i \ne j\), Eq. A2 is equivalent.

Assume that there exists some \(\tau _i\) for which other tasks in \(\Gamma\) have equal priority, i.e., there exists a set \(K_i = \{k: P_i = P_k, \text{ } i \ne k\}\). In the worst case, these tasks will be released before \(\tau _i\), and thus \(\tau _i\) must wait for their completion as if they are higher priority tasks. In this case, without loss of generality, assume that tasks are ordered by non-decreasing priorities such \(\forall k \in K_i, \text{ } k < i\). Then, by this ordering, Eqs. A2 and A4 are equivalent. \(\square\)

The proof of the following theorem follows closely with that of Theorem 16 in Sha et al. (1990).

Theorem 2

In the presence of blocking induced by shared resource constraints, a set \(\Gamma\) of n periodic tasks is schedulable under RM if

$$\begin{aligned} \forall {i}, \text{ } 1 \le i \le n, ~~~ \prod _{\tau _j:P_j \ge P_i, j \ne i}\left( U_j + 1\right) \left( \frac{C_i+B_i}{T_i} + 1\right) \le 2 \end{aligned}$$
(A5)

Proof

Suppose that the equation is satisfied for all \(i, \text{ } 1 \le i \le n\). Then it follows that for each task \(\tau _i\), Eq. A4 will also be satisfied with \(n = i\) and \(C_i\) replaced by \(C_i^* = (C_i + B_i)\). That is, in the absence of blocking, \(\tau _i\) will be schedulable even if it executes for \((C_i + B_i)\) units of time. It follows that task \(\tau _i\), if it executes for only \(C_i\) units of time, can be delayed by \(B_i\) units of time and still meet its deadline. Hence, the theorem follows. \(\square\)

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Sudvarg, M., Sun, Z., Li, A. et al. Priority-based concurrency and shared resource access mechanisms for nested intercomponent requests in CAmkES. Real-Time Syst 60, 76–107 (2024). https://doi.org/10.1007/s11241-024-09419-3

Download citation

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11241-024-09419-3

Keywords

Navigation