Optimal Priority Assignment for Real-Time Systems: A Coevolution-Based Approach

02/15/2021 ∙ by Jaekwon Lee, et al. ∙ University of Luxembourg uOttawa 0

In real-time systems, priorities assigned to real-time tasks determine the order of task executions, by relying on an underlying task scheduling policy. Assigning optimal priority values to tasks is critical to allow the tasks to complete their executions while maximizing safety margins from their specified deadlines. This enables real-time systems to tolerate unexpected overheads in task executions and still meet their deadlines. In practice, priority assignments result from an interactive process between the development and testing teams. In this article, we propose an automated method that aims to identify the best possible priority assignments in real-time systems, accounting for multiple objectives regarding safety margins and engineering constraints. Our approach is based on a multi-objective, competitive coevolutionary algorithm mimicking the interactive priority assignment process between the development and testing teams. We evaluate our approach by applying it to six industrial systems from different domains and several synthetic systems. The results indicate that our approach significantly outperforms both random search and solutions defined by practitioners. Our approach scales to complex industrial systems as an offline analysis method that attempts to find (near-)optimal solutions within acceptable time, i.e., less than two days.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Mission-critical systems are found in many different application domains, such as aerospace, automotive, and healthcare domains. The success of such systems depends on both functional and temporal correctness. For functional correctness, systems are required to provide appropriate outputs in response to the corresponding stimuli. Regarding temporal correctness, systems are supposed to generate outputs within specified time constraints, often referred to as deadlines. The systems that have to comply with such deadlines are known as real-time systems (Liu, 2000). Real-time systems typically run multiple tasks in parallel and rely on a real-time scheduling policy to decide which tasks should have access to processing cores, i.e., CPUs, at any given time.

While developing a real-time system, one of the most common problems that engineers face is the assignment of priorities to real-time tasks in order for the system to meet its deadlines. Based on priorities of real-time tasks, the system’s task scheduler determines a particular order for allocating real-time tasks to processing cores. Hence, a priority assignment that is poorly designed by engineers makes the system scheduler execute tasks in an order that is far from optimal. In addition, the system will likely violate its performance and time constraints, i.e., deadlines, if a poor priority assignment is used.

In real-time systems, the problem of optimally assigning priorities to tasks is important not only to avoid deadline misses but also to maximize safety margins from task deadlines and is subject to engineering constraints. Tasks may exceed their expected execution times due to unexpected interrupts. For example, it is infeasible to test an aerospace system exhaustively on the ground such that potential environmental uncertainties, e.g., those related to space radiations, are accounted for. Hence, engineers assign optimal priorities to tasks such that the remaining times from tasks’ completion times to their deadlines, i.e., safety margins, are maximized to cope with potential uncertainties. Furthermore, engineers typically have to account for additional engineering constraints, e.g., they assign higher priorities to critical tasks that must always meet their deadlines compared to the tasks that are less critical or non-critical.

A brute force approach to find an optimal priority assignment would have to examine all distinct priority assignments, where denotes the number of tasks. Furthermore, for a given priority assignment, schedulability analysis is, in general, known as a hard problem (Audsley, 2001), which determines whether or not tasks will always complete their executions within their specified deadlines. Thus, optimizing priority assignments is also a hard problem because the space of all possible system states to explore in order to find optimal priority assignments is very large. Most of the prior works on optimizing priority assignments provide analytical methods (Fineberg and Serlin, 1967; Leung and Whitehead, 1982; Audsley, 1991; Davis and Burns, 2007; Chu and Burns, 2008; Davis and Burns, 2009; Davis and Bertogna, 2012), which rely on well-defined system models and are very restrictive. For example, they assume that tasks are independent, i.e., tasks do not share resources (Davis et al., 2016; Zhao and Zeng, 2017). Industrial systems, however, are typically not compatible with such (simple) system models. In addition, none of the existing work addresses the problem of optimizing priority assignments by simultaneously accounting for multiple objectives, such as safety margins and engineering constraints, as discussed above.

Search-based software engineering (SBSE) has been successfully applied in many application domains, including software testing (Wegener et al., 1997; Wegener and Grochtmann, 1998; Lin et al., 2009; Arcuri et al., 2010; Shin et al., 2018), program repair (Weimer et al., 2009; Tan et al., 2016; Abdessalem et al., 2020), and self-adaptation (Andrade and Macedo, 2013; Chen et al., 2018; Shin et al., 2020), where the search spaces are very large. Despite the success of SBSE, engineering problems in real-time systems have received much less attention in the SBSE community. In the context of real-time systems, there exists limited work on finding stress test scenarios (Briand et al., 2005) and predicting worst-case execution times (Lee et al., 2020), which complements our work.

In practice, priority assignments result from an interactive process between the development and testing teams. While developing a real-time system, developers assign priorities to real-time tasks in the system and then testers stress the system to check whether or not the system meets its specified deadlines. If testers find a problematic condition under which any of the tasks violates its deadline, developers have to modify the priority assignment to address the problem. The back-and-forth between the development and testing teams continues until a priority assignment that does not lead to any deadline miss is found or the one that yields the least critical deadline misses is identified. The process is, however, not automated.

In this article, we use metaheuristic search algorithms to automate the process of assigning priorities to real-time tasks. To mimic the interactive back-and-forth between the development and testing teams, we use competitive coevolutionary algorithms (Luke, 2013)

. Coevolutionary algorithms are a specialized class of evolutionary search algorithms. They simultaneously coevolve two populations (also called species) of (candidate) solutions for a given problem. They can be cooperative or competitive. The competitive coevolution is similar to what happens in nature between predators and preys. For example, faster preys escape predators more easily, and hence they have a higher probability of generating offspring. This impacts the predators, because they need to evolve as well to become faster if they want to feed and survive 

(Meneghini et al., 2016). In our context, priority assignments defined by developers can be seen as preys and stress test scenarios as predators. The priority assignments need to evolve so that stress testing is not able to push the system into breaking its real-time constraints. Dually, stress test scenarios should evolve to be able to break the system when there is a chance to do so.

Contributions. We propose an Optimal Priority Assignment Method for real-time systems (OPAM). Specifically, we apply multi-objective, two-population competitive coevolution (Popovici et al., 2012) to address our problem of finding optimal priority assignments, aiming at maximizing the magnitude of safety margins from deadlines and constraint satisfaction. In OPAM, two species relate to priority assignment and stress testing coevolve synchronously, and compete against each other to find the best possible solutions. We evaluated OPAM by applying it to six complex, industrial systems from different domains, including the aerospace, automotive, and avionics domains, and several synthetic systems. Our results show that: (1) OPAM finds significantly better priority assignments compared to our baseline, i.e., random search, (2) the execution time of OPAM scales linearly with the number of tasks in a system and the time required to simulate task executions, and (3) OPAM priority assignments significantly outperform those manually defined by engineers based on domain expertise.

We note that OPAM is the first attempt to apply coevolutionary algorithms to address the problem of priority assignment. Further, it enables engineers to explore tradeoffs among different priority assignments with respect to two objectives: maximizing safety margins and satisfying engineering constraints. Our full evaluation package is available online (Lee et al., 2021).

Organization. The remainder of this article is structured as follows: Section 2 motivates our work. Section 3 defines our specific problem of priority assignment in practical terms. Section 4 discusses related work. Sections 5 and 6 describe OPAM. Section 7 evaluates OPAM. Section 8 concludes this article.

2 Motivating case study

We motivate our work using an industrial case study from the satellite domain. Our case study concerns a mission-critical real-time satellite, named ESAIL (LuxSpace, 2021), which has been developed by LuxSpace – a leading system integrator for microsatellites and aerospace system. ESAIL tracks vessels’ movements over the entire globe as the satellite orbits the earth. The vessel-tracking service provided by ESAIL requires real-time processing of messages received from vessels in order to ensure that their voyages are safe with the assistance of accurate, prompt route provisions. Also, as ESAIL orbits the planet, it must be oriented in the proper position on time in order to provide services correctly. Hence, ESAIL’s key operations, implemented as real-time tasks, need to be completed within acceptable times, i.e., deadlines.

Engineers at LuxSpace analyze the schedulability of ESAIL across different development stages. At an early design stage, the engineers use a priority assignment method that extends the rate monotonic scheduling policy (Fineberg and Serlin, 1967), which is a theoretical priory assignment algorithm used in real-time systems. At a later development stage, if the engineers found that any real-time task of ESAIL cannot complete its execution within its deadline, the engineers, in our study context, reassign priorities to tasks in order to address the problem of deadline violations.

The rate monotonic policy assigns priorities to tasks that arrive to be executed periodically and must be completed within a certain amount of time, i.e., periodic tasks with hard deadlines. According to the policy, periodic tasks that arrive frequently have higher priorities than those of other tasks that arrive rarely. In ESAIL, for example, if the vessel-tracking task arrives every 100ms and the satellite-position control task arrives every 150ms, the former has a higher priority than the latter. However, the rate monotonic policy does not account for tasks that arrive irregularly and should be completed within a reasonable amount of time, i.e., aperiodic tasks with soft deadlines. ESAIL contains aperiodic tasks with soft deadlines as well, such as a task for updating software. Hence, the engineers extend the rate monotonic policy to assign priorities to all tasks of ESAIL. The extensions are as follows: First, the engineers assign priorities to periodic tasks based on the rate monotonic policy. Second, the engineers assign lower priorities to aperiodic tasks than those of periodic tasks. As aperiodic tasks with soft deadlines are typically considered less critical than periodic tasks with hard deadlines, the engineers aim to ensure that periodic tasks complete their executions within their deadlines by assigning lower priorities to aperiodic tasks while periodic tasks have higher priority. Engineers use a heuristic to assign priorities to aperiodic tasks. They treat aperiodic tasks as (pseudo-)periodic tasks by setting aperiodic tasks’ (expected) minimum arrival rates as their fixed arrival periods, making the tasks frequently arrive. The engineers then apply the rate monotonic policy for the aperiodic tasks with the synthetic periods while ensuring that aperiodic tasks have lower priorities than those of periodic tasks.

A priority assignment made at an early design stage keeps changing while developing ESAIL due to various reasons, such as changes in requirements and implementation constraints. At a development stage, instead of relying on the extended rate monotonic policy, the engineers assign priorities based on their domain expertise, manually inspecting schedulability analysis results. Hence, a priority assignment at later development stages often does not follow the extended rate monotonic policy. For example, as aperiodic tasks are also expected to be completed within a reasonable amount of time, some aperiodic tasks may have higher priorities than some periodic tasks as long as they are schedulable.

Engineers at LuxSpace, however, are still faced with the following issues: (1) Their priority assignment method, which extends the rate monotonic scheduling policy, assigns priorities to tasks in order to ensure only that tasks are to be schedulable. However, engineers have a pressing need to understand the quality of priority assignments in detail as they impact ESAIL operations differently. For example, once ESAIL is launched into orbit, the satellite operates in the space environment, which is inherently impossible to be fully tested on the ground. Unexpected space radiations may trigger unusual system interrupts, which hasn’t been observed on the ground, resulting in overruns of ESAIL tasks’ executions. In such cases, a priority assignment assessed on the ground may not be able to tolerate such unexpected uncertainties. Hence, engineers need a priority assignment that enables ESAIL tasks to tolerate unpredictable uncertainties as much as possible and to be schedulable. (2) Engineers at LuxSpace assign priorities to tasks without any systematic assistance. Instead, they rely on their expertise and the current practices described above to manually assign priorities to ensure that tasks are to be schedulable. To this end, we are collaborating with LuxSpace to develop a solution for addressing these issues in assigning task priority.

3 Problem description

Figure 1: A conceptual model representing the key abstractions to analyze optimal priority assignments.

This section defines the task, scheduler, and schedulability concepts, which extend the concepts defined in our previous work (Lee et al., 2020) by augmenting our previous definitions with the notions of safety margins, constraints in assigning priorities, and relationships between real-time tasks. We then describe the problem of optimizing priority assignments such that we maximize the magnitude of safety margins and the degree of constraint satisfaction. Figure 1 shows an overview of the conceptual model that represents the key abstractions required to analyze optimal priority assignments for real-time systems. The entities in the conceptual model are described below.

Task. We denote by a real-time task that should complete its execution within a specified deadline after it is activated (or arrived). Every real-time task has the following properties: priority denoted by , deadline denoted by , and worst-case execution time (WCET) denoted by . Task priority determines if an execution of a task is preempted by another task. Typically, a task preempts the execution of a task if the priority of is higher than the priority of , i.e., .

The function determines the deadline of a task relative to its arrival time. A task deadline can be either hard or soft. A hard deadline of a task constrains that must complete its execution within a deadline after is activated. While violations of hard deadlines are not acceptable, depending on the operating context of a system, violating soft deadlines may be tolerated to some extent. Note that, for notational simplicity, we do not introduce new notations to distinguish between hard and soft deadlines. In this paper, we refer to a hard deadline as a deadline. Section 6 further discusses how our approach manages hard and soft deadlines.

Real-time tasks are either periodic or aperiodic. Periodic tasks, which are typically triggered by timed events, are invoked at regular intervals specified by their period. We denote by the period of a periodic task , i.e., a fixed time interval between subsequent activations (or arrivals) of . Any task that is not periodic is called aperiodic. Aperiodic tasks have irregular arrival times and are activated by external stimuli which occur irregularly. In real-time analysis, based on domain knowledge, we typically specify a minimum inter-arrival time denoted by and a maximum inter-arrival time denoted by indicating the minimum and maximum time intervals between two consecutive arrivals of an aperiodic task . In real-time analysis, sporadic tasks are often separately defined as having irregular arrival intervals and hard deadlines (Liu, 2000). In our conceptual definitions, however, we do not introduce new notations for sporadic tasks because the deadline and period concepts defined above sufficiently characterize sporadic tasks. Note that for periodic tasks , we have . Otherwise, for aperiodic tasks , we have .

Task relationships. The execution of a task depends not only on its own parameters described above, e.g., priority and period , but also on its relationships with other tasks. Relationships between tasks are typically determined by task interactions related to accessing shared resources and triggering arrivals of other tasks (Di Alesio et al., 2012). Specifically, if two tasks and access a shared resource in a mutually exclusive way, may be blocked from executing for the period during which accesses . We denote by the resource-dependency relation between tasks and that holds if and have mutually exclusive access to a shared resource such that they cannot be executed in parallel or preempt each other, but one can execute only after the other has completed accessing .

The other type of relationship between tasks is related to a task triggering the arrival of another task . This is a common interaction between tasks (Douglass et al., 1990; Anssi et al., 2011; Di Alesio et al., 2015). For example, may hand over some of its workload to due to performance or reliability reasons. We denote by the triggering relation between tasks and that holds if triggers the arrival of . We note that both relationships are defined at the level of tasks, following prior works (Douglass et al., 1990; Anssi et al., 2011; Di Alesio et al., 2015) describing the five industrial case study systems used in our experiments (see Section 7.2).

Scheduler. Let be a set of tasks to be scheduled by a real-time scheduler. A scheduler then dynamically schedules executions of tasks in according to the tasks’ arrivals and the scheduler’s scheduling policy over the scheduling period . We denote by the th arrival time of a task . The first arrival of a periodic task does not always occur immediately at the system start time (). Such offset time from the system start time to the first arrival time of is denoted by . For a periodic task , the th arrival of within is and is computed by . For an aperiodic task , is determined based on the th arrival time of and its minimum and maximum arrival times. Specifically, for , and, for , , where .

A scheduler reacts to a task arrival at by scheduling the execution of . Depending on a scheduling policy (e.g., rate monotonic scheduling policy for single-core systems (Fineberg and Serlin, 1967) and single-queue multi-core scheduling policy (Arpaci-Dusseau and Arpaci-Dusseau, 2018)), an arrived task may not start its execution at the same time as it arrives when higher priority tasks are executing on all processing cores. Also, task executions may be interrupted due to preemption. We denote by the completion time for the th arrival of a task . According to the worst-case execution time of a task , we have: .

During system operation, a scheduler generates a schedule scenario which describes a sequence of task arrivals and their completion time values. We define a schedule scenario as a set of tuples indicating that a task has arrived at and completed its execution at . Due to a degree of randomness in task execution times and aperiodic task arrivals, a scheduler may generate a different schedule scenario for different runs of a system.

(a) Schedule scenario
(b) Schedule scenario
Figure 2: Example schedule scenarios and of three tasks: , , and . (a) The schedule scenario is produced when , , and . (b) The schedule scenario is produced when , , and .

Figure 2 shows two schedule scenarios (Figure (a)a) and (Figure (b)b) produced by a scheduler over the time period of a system run. Both and describe executions of three tasks, , , and arrived at the same time stamps (see in the figures). In both scenarios, the aperiodic task is characterized by: , , , and . The aperiodic task is characterized by: , , , and . The periodic task is characterised by: , , and . The priorities of the three tasks in (resp. ) satisfy the following: (resp. ). In both scenarios, task executions can be preempted depending on their priorities. Then, is defined by , , , , , ; and is defined by , , , , , .

Schedulability. Given a schedule scenario , a task is schedulable if completes its execution before its deadline, i.e., for all observed in , . Let be a set of tasks to be scheduled by a scheduler. A set of tasks is then schedulable if for every schedule of , we have no task that misses its deadline.

As shown in schedule scenarios and presented in Figures (a)a and (b)b, respectively, all three tasks, , , and , are schedulable. However, we note that the overall amounts of remaining time, i.e., safety margins, from the tasks’ completions to their deadlines observed in and are different (see the second completion times and deadlines of , , and in and ) because and are produced by using different priority assignments. Engineers typically desire to assign optimal priorities to real-time tasks that aim at maximizing such safety margins, as discussed below.

Problem. In real-time systems, fixed priorities are typically assigned to tasks (Davis et al., 2016). Finding an appropriate priority assignment is important not only for ensuring the schedulability of a system but also for maximizing the safety margins within which a system can tolerate unexpected execution time overheads. For example, if an unpredictable error occurs and triggers check-point mechanisms (Davis and Burns, 2007), which re-execute part or all of a task , then the execution time of unexpectedly overruns. Hence, engineers need an optimal priority assignment that maximizes the overall remaining times from task completion times to task deadlines, i.e., safety margins.

While assigning priorities to tasks, engineers also account for constraints, that are often but not always domain-specific. For example, aperiodic tasks’ priorities should be lower than those of periodic tasks because periodic tasks are often more critical than aperiodic tasks. Hence, engineers develop a system that prioritizes executions of periodic tasks over aperiodic tasks. Recall from Section 2, this constraint is desirable by engineers. When needed, however, engineers can violate the constraint to some extent in order to ensure that aperiodic tasks complete within a reasonable amount of time while periodic tasks meet their deadlines. Constraints can be either hard constraints, which must be satisfied, or soft constraints, which are desired to be satisfied. In our study, hard constraints need to be assured while scheduling tasks, e.g., a running task’s priority must be higher than a ready task’s priority, which are enforced by a scheduler. In the context of optimizing priority assignments, we focus on maximizing the extent of satisfying soft constraints. We refer to a soft constraint as a constraint in this paper.

Our work aims at optimizing priority assignments that maximize the safety margins while satisfying such constraints. Specifically, for a set of tasks to be analyzed, we define three concepts as follows: (1) a priority assignment for denoted by , (2) the magnitude of safety margins for a priority assignment denoted by , and (3) the degree of constraint satisfaction denoted by . We note that Section 6.3 describes how we optimize , and compute and in detail. Our study aims at finding a set of best possible priory assignments that are Pareto optimal (Knowles and Corne, 2000) such that a priority assignment maximizes both and , and any other priority assignments in are equally viable.

4 Related Work

This section discusses related research strands in the areas of priority assignments, real-time analysis using exhaustive techniques, search-based analysis in real-time systems, and coevolutionary analysis in software engineering.

Properties OPAM RMPO DMPO OPA OPA-MLD RPA FNR-PA PRPA OPTA EPAF
Periodic
task
Aperiodic
task
Resource
dependency
Triggering
relationship
Multi-core
system
Safety
margin
Engineering
constraint
Table 1: Comparing our work, OPAM, with existing priority assignment techniques with respect to the properties captured in their underlying system models.

Priority assignment. The problem of optimally assigning priorities to real-time tasks has been widely studied (Fineberg and Serlin, 1967; Liu and Layland, 1973; Leung and Whitehead, 1982; Audsley, 1991; Tindell et al., 1994; George et al., 1996; Audsley, 2001; Davis and Burns, 2007; Chu and Burns, 2008; Davis and Burns, 2009, 2011; Davis and Bertogna, 2012; Davis et al., 2016; Zhao and Zeng, 2017; Hatvani et al., 2018). Fineberg and Serlin (1967) reported early work that relies on a simple system model, assuming, for example, that all tasks arrive periodically, tasks run on a single processing core, tasks’ deadlines are equal to their periods, and task executions are independent from one another. They proposed a priority assignment method, named rate-monotonic priority ordering (RMPO), that assigns higher priorities to the tasks with shorter periods. RMPO can find a feasible priority assignment that guarantees periodic tasks to be schedulable when such priority assignments exist (Liu and Layland, 1973). Leung and Whitehead (1982) extended RMPO to relax one of the underlying assumptions made in RMPO. Specifically, their priority assignment approach, known as deadline-monotonic priority ordering (DMPO), accounts for task deadlines that can be less than or equal to their periods. In contrast to our work, however, these methods are often not applicable to industrial systems that are not compatible with their simplified system models. Recall from Section 3 that a realistic system typically consists of both periodic and aperiodic tasks. Task executions depend on their relationships, i.e., resource dependencies and triggering relationships, with other tasks.

Audsley (2001) designed a priority assignment method, named optimal priority assignment (OPA), that relies on an existing schedulability analysis method . OPA guarantees to find a feasible priority assignment that is schedulable according to if such priority assignments exist. OPA is applicable to more complex systems than those supported by the methods mentioned above, i.e., RMPO and DMPO. Specifically, OPA can find a feasible priority assignment even in the following situations: (1) First arrivals of periodic tasks occur after some offset time (Audsley, 1991). (2) Aperiodic tasks have arbitrary deadlines (Tindell et al., 1994). (3) Task executions are scheduled based on a non-preemptive scheduling policy (George et al., 1996). (4) Tasks run on multiple processing cores (Davis and Burns, 2011). Unlike our approach that accounts for two objectives, safety margins and engineering constraints (see Section 3), OPA attempts to find a feasible priority assignment whose only objective is to make all tasks schedulable. Note that such a feasible priority assignment does not necessarily maximize safety margins as discussed in Section 3. Hence, a feasible priority assignment obtained by OPA is often fragile and sensitive any changes in task executions and unable to accommodate unexpected overheads in task execution times, which are commonly observed in industrial systems (Davis and Burns, 2007).

OPA has been extended by several works (Davis and Burns, 2007; Chu and Burns, 2008; Davis and Bertogna, 2012; Davis and Burns, 2009). Davis and Burns (2007) presented a robust priority assignment method (RPA) with a degree of tolerance for unexpected overruns of task execution times. Chu and Burns (2008) introduced an extended OPA algorithm (OPA-MLD) that minimizes the lexicographical distance between the desired priority assignment and the one obtained by the algorithm. OPA-MLD enables important tasks to have higher priorities. Davis and Bertogna (2012) proposed an RPA extension (FNR-PA) to make RPA work when a system allows task preemption to be deferred for some interval of time. Davis and Burns (2009) developed a probabilistic robust priority assignment method (PRPA) for a real-time system to be less likely to violate its deadlines. Even though the prior works mentioned above improve OPA to some extent, they assume that task executions are independent of one another. Hence, existing works are not applicable to a real-time system with resource dependencies and triggering relationships among tasks (see our problem description in Section 3).

Some recent priority assignment techniques address scalability. Hatvani et al. (2018) presented an optimal priority and preemption-threshold assignment algorithm (OPTA) that attempts to decrease the computation time for finding a feasible priority assignment. OPTA uses a heuristic to traverse a problem space while pruning infeasible paths to efficiently and effectively explore the problem space. Zhao and Zeng (2017)

introduced an effective priority assignment framework (EPAF) that combines a commercial solver for integer linear programs and their problem-specific optimization algorithm. However, these methods rely on simple system models that assume, for example, task executions to be independent and running on a single processing core. Therefore, the applicability of these techniques is limited. In contrast, recall from Sections 

2 and 3 that our approach aims at scaling to complex industrial systems while accounting for realistic system characteristics regarding task periods, inter-arrival times, resource dependencies, triggering relationships, and multiple processing cores.

Table 1 compares our work, OPAM, with the other priority assignment techniques mentioned above. As shown in the table, we note that prior works rely on system models that are very restrictive. In particular, none of the existing works account for resource dependencies and triggering relationships that are commonly observed in industrial systems. In addition, we note that no existing solution simultaneously accounts for safety margins and engineering constraints. Hence, to our knowledge, OPAM is the first attempt to provide engineers with a set of equally viable priority assignments, allowing tradeoff analysis with respect to the two objectives: maximizing safety margins and satisfying engineering constraints.

Real-time analysis using exhaustive techniques. Constraint programming and model checking have been applied to conclusively and exhaustively verify whether or not a system meets its deadlines (Kwiatkowska et al., 2011; Nejati et al., 2012; Di Alesio et al., 2013, 2012). Existing research on priority assignment based on OPA rely on such exhaustive techniques to prove the schedulability of a set of tasks for a given priority assignment. We note that schedulability analysis is, in general, an NP-hard problem (Davis et al., 2016) that cannot be solved in polynomial time. As a result, exhaustive techniques based on model checking and constraint solving are often not amenable to analyze large industrial systems such as ESAIL – our motivating case study system – described in Section 2. To assess if exhaustive techniques could scale to ESAIL, as discussed in Section 7.8, we performed a preliminary experiment using UPPAAL (Mikucionis et al., 2004), a model checker for real-time systems. We observed that UPPAAL was not able to verify schedulability of ESAIL tasks for a fixed priority assignment even after letting it run for several days (see Section 7.8 for more details).

Search-based analysis in real-time systems. In real-time systems, most of the existing works that use search-based techniques focus on testing (Wegener et al., 1997; Wegener and Grochtmann, 1998; Briand et al., 2005; Lin et al., 2009; Arcuri et al., 2010). Wegener et al. (1997, 1998

) introduced a testing approach based on a genetic algorithm that aims to check computation time, memory usage, and task synchronization by analyzing the control flow of a program.

Briand et al. (2005) applied a genetic algorithm to find stress test scenarios for real-time systems. Lin et al. (2009) proposed a search-based approach to check whether a real-time system meets its timing and security constraints. Arcuri et al. (2010) presented a black-box system testing approach based on a genetic algorithm. Beyond testing real-time systems, Nejati et al. (2013, 2014) developed a search-based tradeoff analysis technique that helps engineers balance the satisfaction of temporal constraints and keeping the CPU time usage at an acceptable level. Lee et al. (2020)

combined a search algorithm and machine learning to estimate safe ranges of worst-case task execution times within which tasks likely meet their deadlines. In contrast to these prior works, OPAM addresses the problem of optimally assigning priorities to real-time tasks while accounting for multiple objectives regarding safety margins and engineering constraints, thus enabling Pareto (tradeoff) analysis. Further, OPAM uses a multi-objective, competitive coevolutionary search algorithm, which has been rarely applied to date in prior studies of real-time systems, as discussed next.

Coevolutionary analysis in software engineering. Despite the success of search-based software engineering (SBSE) in many application domains including software testing (Wegener et al., 1997; Wegener and Grochtmann, 1998; Lin et al., 2009; Arcuri et al., 2010; Shin et al., 2018), program repair (Weimer et al., 2009; Tan et al., 2016; Abdessalem et al., 2020), and self-adaptation (Andrade and Macedo, 2013; Chen et al., 2018; Shin et al., 2020), coevolutionary algorithms have been applied in only a few prior studies (Wilkerson and Tauritz, 2010; Wilkerson et al., 2012; Boussaa et al., 2013). Wilkerson et al. (2010, 2012) present a coevolution-based approach to automatically correct software. Their work introduced a program representation language to facilitate their automated corrections. Boussaa et al. (2013) developed a code-smells detection approach. The main idea is to evolve two competing populations of code-smell detection rules and artificial code-smells. Unlike these prior works, we study the problem of optimally assigning priorities to tasks in real-time systems. To our knowledge, we are the first to address the priority assignment problem using a multi-objective, competitive coevolutionary search algorithm.

5 Approach Overview

Finding an optimal priority assignment is an inherently interactive process. In practice, once engineers assign priorities to the real-time tasks in a system, testers then stress the system to find a condition, i.e., a particular sequence of task arrivals, in which a task execution violates its deadline. Testers typically use a simulator or hardware equipment to stress the system by triggering plausible worst-case arrivals of tasks that maximize the likelihood of deadline misses. If testers find task arrivals that induce deadline misses, the task arrivals are reported to engineers in order to fix the problem by reassigning priorities. This interactive process of assigning priorities and testing schedulability continues until both engineers and testers ensure that the tasks meet their deadlines.

For such intrinsically interactive problem-solving domains, we conjecture that coevolutionary algorithms are potentially suitable solutions. A coevolutionary algorithm is a search algorithm that mutually adapts one of different species, e.g., in our study, two populations of priority assignments and task-arrival sequences, acting as foils against one another. Specifically, we apply multi-objective, two-population competitive coevolution (Luke, 2013) to address our problem of finding optimal priority assignments (see Section 3). In our approach, the two populations of priority assignments and task-arrival sequences evolve synchronously, competing with each other in order to search for optimal priority assignments that maximize the magnitude of safety margins from deadlines and the extent of constraint satisfaction.

Figure 3: An overview of our Optimal Priority Assignment Method for real-time systems (OPAM).

Figure 3 shows an overview of our proposed solution: Optimal Priority Assignment Method for real-time tasks (OPAM). OPAM requires as input task descriptions defined by engineers, which specify task characteristics and their relationships (see Section 3). Given such input task descriptions, the “find worst task arrivals’ and “find best priority assignments” steps aim at generating worst-case sequences of task arrivals and best-case priority assignments, respectively. A worst-case sequence of task arrivals means that the magnitude of deadline misses, i.e., the amounts of time from task deadlines to task completion times, is maximized when tasks arrive as defined in the sequence. Note that if there is no deadline miss, a task-arrival sequence is considered worst-case if tasks complete their executions as close to their deadlines as possible. In contrast, a priority assignment is best-case when the magnitude of safety margins is maximized. Beyond maximizing safety margins, the “find best priority assignments” step accounts for satisfying engineering constraints in assigning priorities to tasks. OPAM evolves two competing populations of task-arrival sequences and priority assignments synchronously generated from the two steps. OPAM then outputs a set of priority assignments that are Pareto optimal with regards to the magnitude of safety margins and the extent of satisfying constraints. Section 6 describes OPAM in detail.

6 Competitive Coevolution

1Algorithm Search optimal priority assignments
2Input : task descriptions
3Input : number of coevolution cycles //budget
4Input : population size //task-arrival sequences
5Input : pupulation size //priority assignments
6Input : crossover probability //task-arrival sequences
7Input : crossover probability //priority assignments
8Input : mutation probability //task-arrival sequences
9Input : mutation probability //priority assignments
10Input : set of task-arrival sequences //external evaluation
11Output : best Pareto front
12
13//initialize populations
14
15
16
17for  times do
18   //evolution: find worst-case sequences of task arrivals
19   //objective: deadline misses
20   
21    //GA
22 
23   //evolution: find best-case priority assignments
24   //objectives: safety margins and constraints
25   
26    //NSGAII
27 
28   //external fitness evaluation
29   //objectives: safety margins and constraints
30   
31   
32
33return 
Figure 4: Multi-objective two-population competitive coevolution for finding optimal priority assignments.

Figure 4 describes the OPAM algorithm for finding optimal priority assignments, which employs multi-objective, two-population competitive coevolution. The algorithm first randomly initializes two populations and for task-arrival sequences and priority assignments, respectively (lines 13–15). For , OPAM randomly varies task arrivals of aperiodic tasks to create task-arrival sequences, according to the input task descriptions . Regarding , OPAM randomly creates priority assignments that may include one defined by engineers if available.

The two populations sequentially evolve during the allotted analysis budget (see line 17 in Figure 4). The best priority assignment is the one that makes tasks schedulable and maximizes the magnitude of safety margins, while satisfying engineering constraints for a given worst sequence of task arrivals. Hence, searching for the best priority assignments involves searching for the worst sequences of task arrivals. We create two populations and searching for the worst arrival sequences and the best priority assignments, respectively. The fitness values of task-arrival sequences in are computed based on how well they challenge the priority assignments in , i.e., maximizing the magnitude of deadline misses (line 20). Likewise, the priority assignments in are evaluated based on how well they perform against the task-arrival sequences in , i.e., maximizing the magnitude of safety margins while satisfying constraints (line 25). Once the two populations are assessed against each other, OPAM generates the next populations based on the computed fitness values (lines 21 and 26). OPAM tailors the breading mechanisms of steady-state genetic algorithms (GA) (Whitley and Kauth, 1988) for and NSGAII (Deb et al., 2002) for .

OPAM uses two types of fitness functions, namely internal and external fitness evaluations, which play a different and complementary role as described below. The two internal fitness evaluations in lines 20 and 25 of the listing in Figure 4 aim at selecting individuals – task-arrival sequences and priority assignments – for breeding the next and populations. OPAM evaluates the external fitness for the population of priority assignments to find a best Pareto front (lines 28–31). As shown in lines 20 and 25, the internal fitness values of individuals in (resp. ) are computed based on how they perform with respect to individuals in (resp. ). Hence, an individual’s internal fitness is assessed through interactions with competing individuals. For example, a priority assignment in the first generation may have acceptable fitness values regarding safety margins and constraint satisfaction with respect to the first generation of task-arrival sequences, which are likely far from worst-case sequences. However, priority assignment fitness may get worse in later generations as the task-arrival sequences evolve towards larger deadline misses. Thus, if OPAM simply monitors internal fitness, it cannot reliably detect coevolutionary progress as an individual’s internal fitness changes according to competing individuals. The problem of monitoring progress in coevolution has been observed in many studies (Ficici, 2004; Popovici et al., 2012). To address it, OPAM computes external fitness values of priority assignments in based on a set of task-arrival sequences generated independently from the coevolution process. By doing so, OPAM can observe the monotonic improvement of external fitness for priority assignments. We note that, in general, if interactions between two competing populations are finite and any interaction can be examined with non-zero probability at any time, monotonicity guarantees that a coevolutionary algorithm converges to a solution (Popovici et al., 2012).

We note that our approach for evolving task-arrival sequences is based on past work (Briand et al., 2005), where a specific genetic algorithm configuration was proposed to find worst-case task-arrival sequences. One significant modification is that OPAM accounts for task relationships – resource-dependency and task triggering relationships – and a multi-core scheduling policy based on simulations to evaluate the magnitude of deadline misses.

Following standard practice (Ralph et al., 2020)

, the next sections describe OPAM in detail by defining the representations, the scheduler, the fitness functions, and the evolutionary algorithms for coevolving the task-arrival sequences and priority assignments. We then describe the external fitness evaluation of OPAM.

6.1 Representations

OPAM coevolves two populations of task-arrival sequences and priority assignments. A task-arrival sequence is defined by their inter-arrival time characteristics (see Section 3). A priority assignment is defined by a function that maps priorities to tasks.

Task-arrival sequences. Given a set of tasks to be scheduled, a feasible sequence of task arrivals is a set of tuples where and is the th arrival time of a task . Thus, a solution represents a valid sequence of task arrivals of (see valid computation in Section 3). Let be the time period during which a scheduler receives task arrivals. The size of is equal to the number of task arrivals over the time period. Due to the varying inter-arrival times of aperiodic tasks (Section 3), the size of will vary across different sequences.

Priority assignments. Given a set of tasks to be scheduled, a feasible priority assignment is a list of priority for each task . OPAM assigns a non-negative integer to a priority of such that priorities are comparable to one another. The size of is equal to the number of tasks in . Each task in has a unique priority. Hence, a priority assignment is a permutation of all tasks’ priorities. We note that these characteristics of priority assignments are common in many real-time analysis methods (Audsley, 2001; Davis and Burns, 2007; Zhao and Zeng, 2017) and industrial systems (e.g., see our six industrial case study systems described in Section 7.2).

6.2 Simulation

OPAM relies on simulation for analyzing the schedulability of tasks in a scalable way. For instance, an inter-arrival time of a software update task in a satellite system is approximately at most three months. In such cases, conducting an analysis based on an actual scheduler is prohibitively expensive. Also, applying an exhaustive technique for schedulability analysis typically doesn’t scale to an industrial system (e.g., see our experiment results using a model checker described in Section 7.8). Instead, OPAM uses a real-time task scheduling simulator, named OPAMScheduler, which applies a scheduling policy, i.e., single-queue multi-core scheduling policy (Arpaci-Dusseau and Arpaci-Dusseau, 2018), based on discrete simulation time events. Note that we chose the single-queue multi-core scheduling policy for OPAMScheduler since our case study systems (described in Section 7.2) rely on this policy.

OPAMScheduler takes as input a feasible task-arrival sequence and a priority assignment for scheduling a set of tasks. It then outputs a schedule scenario as a set of tuples where and are the th arrival and end time values of a task , respectively (see Section 3). For each task , OPAMScheduler computes based on its scheduling policy while accounting for the task relationships (see the resource-dependency relationship and the task triggering relationship in Section 3).

OPAMScheduler implements a single-queue multi-core scheduling policy (Arpaci-Dusseau and Arpaci-Dusseau, 2018), which schedules a task with explicit priority and deadline . When tasks arrive, OPAMScheduler puts them into a single queue that contains tasks to be scheduled. At any simulation time, if there are tasks in the queue and multiple cores are available to execute tasks, OPAMScheduler first fetches a task from the queue in which has the highest priority . OPAMScheduler then allocates task to any available core. Note that if task shares a resource with a running task in another core, i.e., the resource-dependency relationship holds, OPAMScheduler follows standard task-blocking rules (Liu, 2000), i.e., will be blocked until releases the shared resource.

OPAMScheduler works under the assumption that context switching time is free, which is also a working assumption in many scheduling analysis methods (Liu and Layland, 1973; Audsley, 2001; Di Alesio et al., 2015). Note that the assumption is practically valid and useful at an early development step in the context of real-time analysis. For instance, our collaborating partner, LuxSpace, accounts for the waiting time of tasks due to context switching between tasks through adding some extra time to WCET estimates at the task design stage. Note that OPAM can be applied with any scheduling policy, including those that account for context switching time and multiple queues.

6.3 Fitness functions

Internal fitness: deadline misses. Given a feasible task-arrival sequence and a priority assignment , we formulate a function, , to quantify the degree of deadline misses regarding a set of tasks to be scheduled. To compute , OPAM runs OPAMScheduler for and and obtains a schedule scenario . We denote by the distance between the end time and the deadline of the th arrival of task observed in and define (see Section 3 for the notation end time , arrival time , and deadline ). We denote by the last arrival index of a task in . Given a set of tasks to be scheduled, the function is defined as follows:

Note that is defined as an exponential equation. Hence, when all task executions observed in a schedule scenario meet their deadlines, is a small value as any distance between the task end time and the deadline of the th arrival of task is a negative value. In contrast, deadline misses result in positive values for . In such cases, is a large value. The exponential form of was precisely selected for this reason, to assign large values for deadline misses but small values when deadlines are met. By doing so, prevents an undesirable solution that would result into many task executions meeting deadlines obfuscating a smaller number of deadline misses.

Following the principles of competitive coevolution, individuals in a population of task-arrival sequences need to be assessed by pitting them against individuals in the other population of priority assignments. We denote by the internal fitness function that quantifies the overall magnitude of deadline misses across all priority assignment , regarding a set of tasks to be scheduled. OPAM aims to maximize , defined as follows:

Internal fitness: safety margins. Given a feasible priority assignment and a task-arrival sequence , we denote by the magnitude of safety margins regarding a set of tasks to be scheduled. The computation of is similar to the computation of regarding the use of OPAMScheduler, which outputs a schedule scenario . The difference is that OPAM reverses the sign of as OPAM aims at maximizing the magnitude of safety margins. Given a set of tasks to be scheduled, the function is defined as follows:

Given two populations and of priority assignments and task-arrival sequences, similar to internal fitness , priority assignments in need to be assessed against task-arrival sequences in . We formulate an internal fitness function, , to quantify the overall magnitude of safety margins across all task-arrival sequences , regarding a set of tasks to be scheduled and a priority assignment . OPAM aims to maximize , which is defined as follows:

Internal fitness: constraints. Given a priority assignment , we formulate an internal fitness function, , to quantify the degree of satisfaction of soft constraints set by engineers. Such function is required as we cast of satisfying such constraints into an optimization problem in order to minimize constraint violations. Specifically, OPAM accounts for the following constraint: aperiodic tasks should have lower priorities than those of periodic tasks. We denote by the lowest priority of periodic tasks in . For a set of tasks to be scheduled, OPAM aims to maximize , which is defined as follows:

Greater values denote higher priorities. Given a priority assignment , if for an aperiodic task is lower than the priority of any of the periodic tasks, is a positive value. OPAM measures the difference between priorities of aperiodic and periodic tasks. By doing so, rewards aperiodic tasks that satisfy the above constraint and consistently penalizes those that violate it. Hence, OPAM aims at maximizing .

External fitness: safety margins and constraints. To examine the quality of priority assignments and gauge the progress of coevolution, OPAM takes as input a set of task-arrival sequences created independently from the coevolution process. Given a set of task-arrival sequences and a priority assignment , OPAM utilizes and described above as external fitness functions for quantifying the magnitude of safety margins and the extent of constraint satisfaction, respectively. As does not change over the coevolution process, is used for evaluating a priority assignment since it is not impacted by the evolution of task-arrival sequences. Hence, external fitness functions ensure that OPAM monitors the progress of coevolution in a stable manner.

We note that soft deadline tasks also require to execute within reasonable execution time, i.e., (soft) deadline. As the above fitness functions return quantified degrees of deadline misses and safety margins, OPAM uses the same fitness functions for both soft and hard deadline tasks.

6.4 Evolution: Worst-case task arrivals

1Algorithm Task-arrival sequences evolution
2Input : population of task-arrival sequences
3Input : population of priority assignments
4Input : crossover probability //task-arrival sequences
5Input : mutation probability //task-arrival sequences
6Output : population of task-arrival sequences
7
8//evaluate internal fitness values for 
9for each 
10   for each 
11       //OPAMScheduler
12      // is computed based on 
13      
14   
15
16//breed task-arrival sequences
17
18
19
20//evaluate internal fitness values for 
21for each 
22   for each 
23       //OPAMScheduler
24      // is computed based on 
25      
26   
27
28
29return 
Figure 5: A steady-state GA-based algorithm for evolving task-arrival sequences.

The algorithm in Figure 5 describes in detail the evolution of task-arrival sequences in lines 18–21 of the listing in Figure 4. OPAM adapts a steady-state Genetic Algorithm (GA) (Luke, 2013) for evolving task-arrival sequences. As shown in lines 8–14, OPAM first evaluates each task-arrival sequence in the population against the population of priority assignments. OPAM executes OPAMScheduler to obtain a schedule scenario for a task-arrival sequence and a priority assignment (line 11). OPAM then computes the internal fitness capturing the magnitude of deadline misses (lines 12–14). We note that a steady-state GA iteratively breeds offspring, assess their fitness, and then reintroduce them into a population. However, OPAM computes internal fitness of all task-arrival sequences in at every generation. This is because internal fitness is computed in relation to , which is coevolving with .

Breeding the next population is done by using the following genetic operators: (1) Selection: OPAM selects candidate task-arrival sequences using a tournament selection technique, with the tournament size equal to two which is the most common setting (Gendreau and Potvin, 2010) (line 17 in Figure 5). (2) Crossover: Selected candidate task-arrival sequences serve as parents to create offspring using a crossover operation (line 18). (3) Mutation: The offspring are then mutated (line 19). Below, we describe our crossover and mutation operators.

Crossover. A crossover operator is used to produce offspring by mixing traits of parent solutions. OPAM modifies the standard one-point crossover operator (Luke, 2013) as two parent task-arrival sequences and may have different sizes, i.e., . Let be a set of tasks to be scheduled. Our crossover operator first randomly selects an aperiodic task . For all and , OPAM then swaps all arrivals between the two task-arrival sequences and . Since is fixed for all solutions, OPAM can cross over two solutions that may have different sizes.

Mutation operator OPAM uses a heuristic mutation algorithm. For a task-arrival sequence , OPAM mutates the th task arrival time of an aperiodic task with a mutation probability. OPAM chooses a new arrival time value of based on the inter-arrival time range of . If such a mutation of the th arrival time of does not affect the validity of the th arrival time of , the mutation operation ends. Specifically, let be a mutated value of . In case , OPAM returns the mutated task-arrival sequence.

After mutating the th arrival time of a task in a solution , if the th arrival becomes invalid, OPAM corrects the remaining arrivals of . Let and be, respectively, the original and mutated th arrival time of . For all the arrivals of after , OPAM first updates their original arrival time values by adding the difference . Let be the scheduling period. OPAM then removes some arrivals of if they are mutated to arrive after or adds new arrivals of while ensuring that all tasks arrive within .

As shown in lines 20–26 in Figure 5, the internal fitness of the generated offspring is computed based on the population. OPAM then updates the population of task-arrival sequences by comparing the offspring and individuals in (line 27).

We note that when a system is only composed of periodic tasks, OPAM will skip evolving for worst-case arrival sequences as arrivals of periodic tasks are deterministic (see Section 3). Nevertheless, OPAM will optimize priority assignments based on given arrivals of periodic tasks. When needed, OPAM can be easily extended to manipulate offset and period values for periodic tasks, in a way identical to how we currently handle inter-arrival times for aperiodic tasks.

6.5 Evolution: Best-case priority assignments

1Algorithm Priority assignments evolution
2Input : population of task-arrival sequences
3Input : population of priority assignments
4Input : pupulation size //priority assignments
5Input : crossover probability //priority assignments
6Input : mutation probability //priority assignments
7Output : population of priority assignments
8
9//evaluate internal fitness values for 
10for each 
11   for each 
12       //OPAMScheduler
13      // is computed based on 
14      
15   
16   
17
18//breed priority assignments
19
20
21
22//evaluate internal fitness values for 
23for each 
24   for each 
25       //OPAMScheduler
26      // is computed based on 
27      
28   
29   
30
31
32
33
34return 
Figure 6: An NSGAII-based algorithm for evolving priority assignments.

Figure 6 shows the evolution procedure of priority assignments, which refines lines 23–26 in Figure 4. OPAM tailors the Non-dominated Sorting Genetic Algorithm version 2 (NSGAII) (Deb et al., 2002) to generate a non-dominating (equally viable) set of priority assignments, representing the best tradeoffs found among the given internal fitness functions. This is referred to as a Pareto nondominated front (Knowles and Corne, 2000), where the dominance relation over priority assignments is defined as follows: A priority assignment dominates another priority assignment if is not worse than in all fitness values, and is strictly better than in at least one fitness value. NSGAII has been applied to many multi-objective optimization problems (Langdon et al., 2010; Shin et al., 2018; Wang et al., 2020).

OPAM maintains a population of priority assignments as an archive that contains the best priority assignments discovered during coevolution. Unlike a standard application of NSGAII, in our study, we need to reevaluate the internal fitness values for priority assignments in at every generation as the internal fitness values are computed based on the population of task-arrival sequences, which coevolves. As shown in lines 9–16 in Figure 6, OPAM first computes the internal fitness functions that measure the magnitude of safety margins and the extent of constraint satisfaction. OPAM then sorts non-dominated Pareto fronts (line 19) and assigns crowding distance (line 20) to introduce diversity among non-dominated priority assignments (Deb et al., 2002).

For breeding the next population of priority assignments (line 21 in Figure 6, OPAM applies the following standard genetic operators (Sivanandam and Deepa, 2008) that have been applied to many similar problems (Islam et al., 2012; Marchetto et al., 2016; Shin et al., 2018): (1) Selection. OPAM uses a binary tournament selection based on non-domination ranking and crowding distance. The binary tournament selection has been used in the original implementation of NSGAII (Deb et al., 2002). (2) Crossover. OPAM applies a partially mapped crossover (PMX) (Goldberg and Lingle, 1985). PMX ensures that the generated offspring are valid permutations of priorities. (3) Mutation. OPAM uses a permutation swap method for mutating a priority assignment. This mutation method interchanges two randomly-selected priorities in a priority assignment according to a given mutation probability.

For the generated population of priority assignments, OPAM computes the two internal fitness functions (lines 22–29 in Figure 6). OPAM then sorts non-dominated Pareto fronts for the union of the current and next populations (line 30), assign crowding distance (line 31), and select the best archive by accounting for the computed non-domination ranking and crowding distance (line 32).

6.6 External fitness evaluation

1Algorithm Priority assignments evolution
2Input : set of task-arrival sequences //external evaluation
3Input : population of priority assignments
4Input : pupulation size //priority assignments
5Input : crossover probability //priority assignments
6Input : mutation probability //priority assignments
7Output : population of priority assignments
8
9//evaluate external fitness values for 
10for each 
11   for each 
12       //OPAMScheduler
13      // is computed based on 
14