#### Synchronous Data-flow Modeling of Shared Resources

#### Erwan Jahier & Nicolas Halbwachs & Pascal Raymond (Verimag)

November 2007

Bamberg

# Context (cf the previous presentation of N. Halbwachs)

- **•** ADL = joint description of software and hardware
  - software (process, thread, program, data)
  - hardware (processor, memory, bus)
- Modeling an ADL into a Synchronous language
  - $\rightarrow$  Give a precise temporal semantics to the ADL

→ Take advantage of the validation (formal verif, test) of the host language

 $\Rightarrow$  accurate validation w.r.t. time

### **Motivations**

#### Modeling Shared resources (bus, memory)

Cannot be overlooked

Fine-grained protocol analysis (compared to usual protocol criterion that ignore functional aspects)

$$rac{WCET_1}{P_1}+...+rac{WCET_n}{P_n}\leq n(2^{rac{1}{n}}-1)$$

### Example



Synchronous modelling of Asynchrony and shared resources

Execution time (for time-lasting tasks)

Solution Clock drifts (for tasks running on several processors)

Multitasking (for tasks running on the same processor)

### Shared Resources access protocol

Rate monotonic scheduling



#### Lock

Basic Inheritance (BIP)

Priotity ceiling Protocol (PCP)

#### Scheduling *n* tasks and *m* resources

#### **Scheduler inputs:**

 $dispatched_k = Task t_k$  asks for the cpu

 $ask\_cs_{r_l}^{t_k} = \mathsf{Task} \; t_k$  asks for the resource  $r_l$ 

Scheduler outputs:

 $cpu_k = Task t_k$  has the cpu

**\checkmark** convention:  $t_i$  has priority over  $t_j$  iff i < j

### No Lock

#### In Lustre for 3 tasks

```
node cpu_from_dispatched(
    dispatched1, dispatched2, dispatched3: bool
    t1_ask_cs_r1, t1_ask_cs_r1, ... :bool)
returns ( cpu1, cpu2, cpu3 : bool);
let
    cpu1 = dispatched1;
    cpu2 = dispatched2 and not cpu1;
    cpu3 = dispatched3 and not cpu1 and not cpu2;
tel
```

### No lock

For n tasks

$$orall k \in [1,n]: oldsymbol{cpu}_k = dispatched_k \wedge igwedge_{0 < i < k} \overline{oldsymbol{cpu}_i}$$

### Lock (1)

#### For n tasks and m resources

First, we compute a utilitary relation indicating which task is in critical section

$$orall k \in [1,n] \; orall l \in [1,m]:$$

$$have\_cs_{r_l}^{t_k} = ask\_cs_{r_l}^{t_k} \land (\bullet have\_cs_{r_l}^{t_k} \lor cpu_k)$$

•  $\equiv$  previous value

### Lock (2)

## Then, we compute a utilitary relation indicating if tasks $t_i$ inhibits task $t_k$ via a resource $r_l$

$$orall k, i \in [1,n], i 
eq k, orall l \in [1,m]:$$

 $t_i\_inhibits_{r_l}^{t_k} = ask\_cs_{r_l}^{t_k} \land have\_cs_{r_l}^{t_i}$ 

### Lock (3)

#### Computing the elected thread

 $orall k \in [1,n]:$ 

$$cpu_k = dispatched_k \wedge igwedge_{0 < i < k} \overline{cpu_i} \wedge igwedge_{i 
eq k} \overline{t_{i\_inhibits}^{t_k}_{r_l}}$$

### Lock (2-bis)

#### Computing the inhibits relation (bis)

 $egin{aligned} have\_cs^{t_k}_{r_l} &= ask\_cs^{t_k}_{r_l} \wedge & (cpu_k \lor \bullet have\_cs^{t_k}_{r_l}) \ cpu_k &= dispatched_k \wedge igwedge_{0 < i < k} \overline{cpu_i} \wedge igwedge_{i \neq k} \overline{t_i\_inhibits^{t_k}_{r_l}} \ t_i\_inhibits^{t_k}_{r_l} = ask\_cs^{t_k}_{r_l} \wedge have\_cs^{t_i}_{r_l} \ t_i\_inhibits^{t_k}_{r_l} = ask\_cs^{t_k}_{r_l} \wedge \bullet have\_cs^{t_i}_{r_l} \wedge ask\_cs^{t_i}_{r_l} \end{aligned}$ 

cycle:  $t_{-inhibits_{r}^{t}} \rightarrow have_{-}cs_{r}^{t} \rightarrow cpu \rightarrow t_{-inhibits_{r}^{t}}$ .

### **Priority Inversion**



### **Basic Inheritance Protocol**

Fixing the priority inversion problem

Idea: a task that have locked a resource r inherits of the priority of tasks that want to access to r

 $\Rightarrow t_{i-inhibits_{t_{k}}^{*}}$  relation

Computing the  $t_{i-inhibits^*_{t_k}}$  relation

•  $path(i,k) = \{ \text{ cycle-free inhibit. paths from } t_i \text{ to } t_k \}$ 

$$egin{array}{lll} \wedge & ... & \wedge rac{t_{i_s}\_inhibits^{t_k}}{\wedge rac{t_i\_is\_inhibited}} \end{array}$$

#### **Basic Inheritance Protocol**

 $ii_{0} = 0$  $\forall k \in [1, n] : (cpu_k, ii_k) =$  $\overline{dispatched_k} \rightarrow (False, i_{k-1})$ (1) $(cpu_1 \lor ... \lor cpu_{k-1}) \to (False, -1)$ (2) $\{ t_{j\_inhibits^*_{t_k}} \rightarrow (False, j) \}_{j \in [1,n], j \neq k}$ (3) $i_{k-1} = k \rightarrow (True, -1)$ (4) $i_{k-1} > 0 \rightarrow (False, ii_{k-1})$ (5) $\mathbf{T}rue \rightarrow (\overline{t_{k}\_is\_inhibited}, 0)$ (6)

$$ii_{0} = 0$$
  

$$\forall k \in [1, n] : (cpu_{k}, ii_{k}) =$$

$$\overline{dispatched_{k}} \rightarrow (False, ii_{k-1}) \qquad (1)$$

$$(cpu_{1} \lor \dots \lor cpu_{k-1}) \rightarrow (False, -1) \qquad (2)$$

$$\{ t_{j-inhibits^{*}_{t_{k}}} \rightarrow (False, j) \}_{j \in [1,n], j \neq k} \qquad (3)$$

$$ii_{k-1} = k \rightarrow (True, -1) \qquad (4)$$

$$ii_{k-1} > 0 \rightarrow (False, ii_{k-1}) \qquad (5)$$

$$True \rightarrow (\overline{t_{k-is-inhibited}}, 0) \qquad (6)$$

 $ii_{0} = 0$  $(cpu_1, ii_1) =$  $\overline{dispatched_1} \rightarrow (False, ii_0)$ (1) $(False) \rightarrow (False, -1)$ (2) $\{ t_{j-inhibits^*_{t_i}} \rightarrow (False, j) \}_{i \in [1,n], i \neq 1}$ (3) $ii_0 = 1 \rightarrow (True, -1)$ (4) $ii_0 > 0 \rightarrow (False, ii_0)$ (5) $True \rightarrow (t_1\_is\_inhibited, 0)$ (6)

 $ii_0 = 0$  $(cpu_1, ii_1) =$  $\overline{dispatched_1} \rightarrow (False, ii_0)$ (1) $(False) \rightarrow (False, -1)$ (2) $\{ t_{j-inhibits^*_{t_i}} \rightarrow (False, j) \}_{i \in [1,n], i \neq 1}$ (3) $ii_0 = 1 \rightarrow (True, -1)$ (4) $ii_0 > 0 \rightarrow (False, ii_0)$ (5) $True \rightarrow (t_1\_is\_inhibited, 0)$ (6)

 $ii_1 = 0$  $(cpu_2, ii_2) =$  $\overline{dispatched_2} \rightarrow (False, ii_1)$ (1) $(cpu_1) \rightarrow (False, -1)$ (2) $\{ t_{j-inhibits^*_{t_n}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 2}$ (3) $ii_1 = 2 \rightarrow (True, -1)$ (4) $ii_1 > 0 \rightarrow (False, ii_1)$ (5) $True \rightarrow (t_2\_is\_inhibited, 0)$ (6)

 $ii_1 = 0$  $(cpu_2, ii_2) =$  $\overline{dispatched_2} \rightarrow (False, ii_1)$ (1) $(cpu_1) \rightarrow (False, -1)$ (2) $\{ t_{j-inhibits^*_{t_n}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 2}$ (3) $ii_1 = 2 \rightarrow (True, -1)$ (4) $ii_1 > 0 \rightarrow (False, ii_1)$ (5) $True \rightarrow (t_2\_is\_inhibited, 0)$ (6)

 $egin{array}{lll} ii_2=0\ (cpu_3,ii_3)= \end{array}$ 

$$\overline{dispatched_3} \rightarrow (False, ii_2)$$
 (1)

$$(cpu_1 \lor cpu_2) \rightarrow (False, -1)$$
 (2)

$$\{ t_{j\_inhibits^*_{t_3}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 3}$$

$$ii_2 = 3 \rightarrow (True, -1)$$

$$(4)$$

$$ii_2 > 0 \rightarrow (False, ii_2)$$
 (5)

$$True \rightarrow (\overline{t_3\_is\_inhibited}, 0)$$
 (6)

 $egin{array}{lll} ii_2=0\ (cpu_3,ii_3)= \end{array}$ 

$$\overline{dispatched_3} \rightarrow (False, ii_2)$$
 (1)

$$(cpu_1 \lor cpu_2) \rightarrow (False, -1)$$
 (2)

$$\{ t_{j\_inhibits^*_{t_3}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 3}$$
(3)  
$$ii_2 = 3 \rightarrow (True - 1)$$
(4)

$$ii_2 > 0 \rightarrow (False, ii_2)$$
 (5)

$$True \rightarrow (\overline{t_3\_is\_inhibited}, 0)$$
 (6)

 $dispatched_1$ ,  $dispatched_2$ ,  $dispatched_3$ ,  $dispatched_4$ ,  $t_3\_inhibits_{t_1}^*$ 

 $egin{array}{ll} ii_0=0\ (cpu_1,ii_1)= \end{array}$ 

 $\overline{dispatched_{1}} \rightarrow (False, ii_{0}) \quad (1)$   $(False) \rightarrow (False, -1) \quad (2)$   $\{ t_{j\_inhibits_{t_{1}}^{*}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 1} \quad (3)$   $ii_{0} = 1 \rightarrow (True, -1) \quad (4)$   $ii_{0} > 0 \rightarrow (False, ii_{0}) \quad (5)$   $True \rightarrow (\overline{t_{1\_is\_inhibited}}, 0) \quad (6)$ 

 $dispatched_1$ ,  $dispatched_2$ ,  $dispatched_3$ ,  $dispatched_4$ ,  $t_3\_inhibits^*_{t_1}$ 

 $egin{array}{l} ii_0=0\ (cpu_1,ii_1)= \end{array}$ 

| $\overline{dispatched_1} ~ ightarrow~(False, ii_0)$ | (1)                      |
|-----------------------------------------------------|--------------------------|
| $(False) \  ightarrow \ (False, -1)$                | (2)                      |
| $t_{3\_}inhibits^*_{t_1} \rightarrow (False, 3)$    | (3)                      |
| $ii_0=1~ ightarrow~(True,-1)$                       | (4)                      |
| $ii_0 > 0 ~ ightarrow~(False, ii_0)$                | (5)                      |
| $True \  ightarrow \ (\overline{t_1\_is\_inhib}$    | $\overline{ited}, 0$ (6) |

 $dispatched_1$ ,  $dispatched_2$ ,  $dispatched_3$ ,  $dispatched_4$ ,  $t_3\_inhibits^*_{t_1}$ 

 $egin{array}{lll} ii_1=3\ (cpu_2,ii_2)= \end{array}$ 

| $\overline{dispatched_2}$      | $\rightarrow$ | $(False, ii_1)$                          | (1) |
|--------------------------------|---------------|------------------------------------------|-----|
| $(cpu_1)$                      | $\rightarrow$ | (False, -1)                              | (2) |
| $\{ \ t_{j\_}inhibits^*_{t_2}$ | $\rightarrow$ | $(False, j) \mid_{j \in [1,n], j  eq 2}$ | (3) |
| $ii_1=2$                       | $\rightarrow$ | (True, -1)                               | (4) |
| $ii_1>0$                       | $\rightarrow$ | $(False, ii_1)$                          | (5) |
| True                           | $\rightarrow$ | $(\overline{t_2\_is\_inhibited},0)$      | (6) |

 $dispatched_1$ ,  $dispatched_2$ ,  $dispatched_3$ ,  $dispatched_4$ ,  $t_3\_inhibits^*_{t_1}$ 

 $egin{array}{lll} ii_2=3\ (cpu_3,ii_3)= \end{array}$ 

| $\rightarrow$ ( $False, ii_2$ ) | (1)                        |
|---------------------------------|----------------------------|
|                                 | $ ightarrow (False, ii_2)$ |

$$(cpu_1 \lor cpu_2) \rightarrow (False, -1)$$
 (2)

$$\{ t_{j\_inhibits^*_{t_3}} \rightarrow (False, j) \}_{j \in [1,n], j \neq 3}$$
(3)

$$ii_2 = 3 \rightarrow (True, -1)$$
 (4)

$$ii_2 > 0 \rightarrow (False, ii_2)$$
 (5)

$$True \rightarrow (\overline{t_{3}}is_inhibited, 0)$$
 (6)

### problem: the BIP can deadlock



→ (statically) forbid such intertwined use of locks
 → Priority Ceiling Protocol

### **Priority ceiling Protocol**

Priority ceiling of a resource r PC(r) is the priority of the more prioritary task that migth access to r (static)

• The priority ceiling of a task  $t_k PC_k$  is the maximum of the priority ceilings of the resources locked by other tasks than  $t_k$  (dynamic)

$$egin{aligned} orall k: & PC_k = Min \{ & & & if igwedge V_{i\in[1,n],i
eq k} (ask\_cs^{t_i}_{r_l} ~\wedge ~ ullet have\_cs^{t_i}_{r_l}) \ & & & & then ~ PC(l) ~ else ~ n \ & & & & \ & & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & \ & & \ & & \ & & \ & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & & \ & \ & & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ & \ &$$

### **Priority ceiling Protocol**

• BIP +  $t_k$  can lock a resource r only if its priority is higher than its priority ceiling  $(k < PC_k)$ .

### **Priority ceiling Protocol**

$$ii_{0} = 0$$
  

$$\forall k \in [1, n] : (cpu_{k}, ii_{k}) = \blacksquare$$

$$\overline{dispatched_{k}} \rightarrow (False, ii_{k-1}) \qquad (1)$$

$$(cpu_{1} \lor ... \lor cpu_{k-1}) \rightarrow (False, -1) \qquad (2)$$

$$\{ t_{j}\_inhibits_{t_{k}}^{*} \rightarrow (False, pc(j)) \}_{j \in [1,n], j \neq k} (3)$$

$$ii_{k-1} = k \rightarrow (True, -1) \qquad (4)$$

$$ii_{k-1} > 0 \rightarrow (False, ii_{k-1}) \qquad (5)$$

$$True \rightarrow (\overline{t_{k}\_is\_inhibited} \qquad \land (ask\_cs^{t_{k}} \Rightarrow PC_{k} > k),$$

$$0) \qquad (6)$$

where  $pc(j) = if \ PC_j > j \ then \ j \ else \ 0$ 









#### Iesar finds the deadlock in BIP

Iesar proves the absence of deadlock in PCP