Schedulability analysis of AADL architecture models
Full day tutorial, CPS-IoT Week 2019 conférences, April 2019, Montréal, Canada
Frank Singhoff, Lab-STICC UMR CNRS 6285/Université de Bretagne Occidentale
Pierre Dissaux, Ellidiss Tech.
Agenda of April the 15th, 2019
- 9:00-10:00 tutorial
- 10:00-10:30 coffee break
- 10:30-12:30 tutorial
- 12:00-13:30 lunch break
- 14:00-15:00 tutorial
- 15:00-15:30 coffee break
- 15:30-17:30 tutorial
This set of exercises show how to use AADLInspector to run scheduling analysis with Cheddar.
The slides of the lecture to do those exercises
can be downloaded here .
Installation procedure
To do the following exercises, you need AADLInspector.
You can download and install AADLInspector
from http://www.ellidiss.com/downloads
on your laptop (for Windows or Linux targets only).
Running procedure
For windows target, just click on the AADLInspector icon.
For Linux station, use the following command:
AADLInspector&
The objective of this first exercise is to discover the basic analysis options
of the tool.
- Download the
following AADL model.
and save those files in a specific folder. Those files are composing
an AADLInspector project: the file .aic allows AADLInspector to load
all AADL files composing your model from the menu File/Load.
- From File/Load, load the project.
- With the Static analysis/Parse and Instanciante LMP button,
verify the AADL model. What is the root component of this model? Give the instance model graph.
- To perform a scheduling analysis, the processor component
has to be extended with few properties.
Add to the cpu_leon2 component
the following properties:
PROPERTIES
Scheduling_protocol => (rate_monotonic_protocol);
- Compute the scheduling of this thread set with Cheddar by the button
Timing Analysis/Simulation timelines (Cheddar).
From this simulation, compute with Cheddar the response times of the threads
by the button Timing Analysis/Simulation Tests (Cheddar).
- Compute theoretical worst case thread response times, always with Cheddar
but with the button
Timing Analysis/Theoretical Tests (Cheddar).
- Are the two sets of worst case response times different? Why
they can differ?
- Update the Scheduling_protocol property
for subcomponent cpu
with value posix_1003_highest_priority_first_protocol
- Do again the questions 5, 6 and 7. What can you see?
In this exercise, we will model and analyze a set of threads
writing or reading data from a shared memory area. We will assume that the
shared memory area
is modeled by a data component. Writing or reading an element
will be modeled by the access of the data component in mutual exclusion.
The objective of this exercise is to gradually build and analyze such model.
In the first question, we will define two independant threads, i.e. we do not model
the shared memory area. In the next question, we intend to model several readers and
writers, always independent. Finally, in the last question, we extend the second
version of the model with the thread communications.
Question 1 :
Let assume this sample of AADL model:
package sampling_coms
public
thread writer
end writer;
thread reader
end reader;
thread implementation reader.impl
end reader.impl;
thread implementation writer.impl
end writer.impl;
process application
end application;
process implementation application.impl
end application.impl;
processor cpu
end cpu;
system smpl
end smpl;
system implementation smpl.impl
subcomponents
process1 : process application.impl;
cpu1 : processor cpu;
properties
Actual_Processor_Binding => (reference(cpu1)) applies to process1;
end smpl.impl;
end sampling_coms;
- Change the definition of the threads and the process above in order to:
- Define a periodic thread called writer with a deadline
and a period of 10 ms. The priority is 20.
The execution time of this thread is about 1 ms in the best case and 3 ms
in the worst case.
- Define a periodic thread called reader with a deadline
and a period of 20 ms.
The execution time of this thread is about 2 ms.
The priority is 10.
- Check correctness of the model with LMP.
- In order to perform scheduling analysis, extend your modele with the
following property:
properties
Scheduling_Protocol=>(POSIX_1003_HIGHEST_PRIORITY_FIRST_PROTOCOL);
- Perform the scheduling analysis with AADLInspector.
Question 2 :
- From the model of the previous question and without introducing
new component type, extend the model in order to declare 3 writers
and 2 readers with the following properties:
- Writer 1 : Deadline = Period = 40 ms ; execution time ranging 1 and 5 ms ; Priority = 1
- Writer 2 : Deadline = Period = 20 ms ; execution time ranging 1 and 4 ms ; Priority = 2
- Writer 3 : Deadline = Period = 20 ms ; execution time ranging 1 and 2 ms ; Priority = 3
- Reader 1 : Deadline = Period = 40 ms ; execution time ranging 1 and 3 ms ; Priority = 4
- Reader 2 : Deadline = Period = 40 ms ; execution time ranging 1 and 2 ms ; Priority = 5
- Verify your model by simulations with AADLInspector.
Question 3 :
In order to model the thread communications, we now extend the previous model with a data component.
- Change your previous model by adding a data component and the required
connections to the threads. For this data component, define the following property:
properties
Concurrency_Control_Protocol => PCP;
- Once updated, analyze your model with AADLInspector to locate
locks and unlocks of the data component.
This exercise is extracted from [Cottet00] and is about a simplified
architecture model of the Mars Pathfinder mission.
In this exercise, you must look for a design mistake and propose
a solution for it.
In 1997, Mars Pathfinder casts a mobile robot called Sojourner on Mars.
This mobile robot was controled by a multitask software running on a VxWorks target.
This software was composed of the following tasks:
| Tasks | Priorities | Periods/Deadlines | Executime time |
| SCHED_BUS | 1 | 125 ms | 25 ms |
| DATA | 2 | 125 ms | 25 ms |
| CONTROL | 3 | 250 ms | 25 ms |
| RADIO | 4 | 250 ms | 25 ms |
| VIDEO | 5 | 250 ms | 25 ms |
| MESURE | 6 | 5000 ms | 50 ms |
| FORECAST | 7 | 5000 ms | Between 50 ms and 75 ms |
- All the tasks are periodic, synchronous, and have deadlines equal to periods.
- FORECAST is sometimes released for a job of 50 ms, and sometimes for a job of 75 ms, depending of
the size of the payload to handle.
- Priority levels expressed bellow are VxWorks priorities : the lower the value is,
the higher the priority
level is.
- DATA, CONTROL, MESURE and FORECAST required a shared data which is accessed by a critical section
during all their execution times (i.e all their capacity/WCET).
To reduce costs, those critical sections were implemented with a mutex that did
not use
inheritance priority protocol such as PIP or PCP.
In order to define those critical sections without PIP/PCP, simply
do not add the Concurrency_Control_Protocol property when defining your data component.
- During the mission of Mars PathFinder, operators noticed that some deadlines
were missed, leading to frequent reboots
of the hardware.
Design an AADL model to discover what are the missed deadlines and why those threads
were not able to meet their deadlines.
- How to solve this issue? Apply it on your AADL model.
Data ports provide a mean to exchange messages between threads.
This exercise is a simple example showing two
protocols existing with AADL data port: the prococols immediate
and delayed.
- Download the
AADL model.
This model contains threads that are connected by data ports.
- In this model, what are the threads emitting data?
What are the threads receiving data?
What is the protocol used for these communications?
- With AADLInspector, compute the scheduling of these threads.
Is the scheduling consistent with the thread priorities? Explain.
-
Find when the messages are sent and received by T2 and T3.
- Now assume the property Timing as the value Delayed.
Again compute the scheduling of these threads and
find when the messages are sent and received.
This exercise shows how to synchronize dataflows and control flows in a simplified
Flight Control System (see the figure bellow from [Pagetti14] and the AADL model inspired from this article).
Question 1 :
- Download the
AADL model.
that represents a possible AADL design for the functional model shown above.
- Note the use of Feature Groups and Thread Groups.
- Identify what are the main missing AADLconstructs.
Question 2 :
- Add missing connections in
THREAD GROUP IMPLEMENTATION Flight_Software.impl
- Run scheduling analysis.
Question 3 :
- Add Priority and/or Dispatch_Offset properties in order to ensure a proper ordering of the threads
regarding the dataflow logics.
- Check with the scheduling analysis tools.
[Cottet00]
F. Cottet, J. Delacroix, C.
Kaiser, and Z. Mammeri.
Ordonnancement temps réel.
Hermès, 2000.
[Pagetti14] The ROSACE Case Study: From
Simulink Specification to Multi/Many-Core Execution, Claire Pagetti, David Saussiéy, Romain Gratia,
Eric Noulard, Pierre Siron. RTAS 2014 conference.