Real-Time Systems, 23, 55±84, 2002
# 2002 Kluwer Academic Publishers. Manufactured in The Netherlands.
Scheduler Modeling Based on the Controller
Synthesis Paradigm
K. ALTISEN altisen@imag.fr
V
ERIMAG, 2 av. de Vignate, 38610 Gie
Á
res, France
G. GO
È
SSLER goessler@imag.fr
V
ERIMAG, 2 av. de Vignate, 38610 Gie
Á
res, France
J. SIFAKIS sifakis@imag.fr
V
ERIMAG, 2 av. de Vignate, 38610 Gie
Á
res, France
Abstract. The controller synthesis paradigm provides a general framework for scheduling real-time
applications. Schedulers can be considered as controllers of the applications; they restrict their behavior so
that given scheduling requirements are met.
We study a modeling methodology based on the controller synthesis paradigm. The methodology allows to get
a correctly scheduled system from timed models of its processes in an incremental manner, by application of
composability results which simplify schedulability analysis. It consists in restricting successively the system to
be scheduled by application of constraints de®ned from scheduling requirements. The latter are a conjunction of
schedulability requirements that express timing properties of the processes and policy requirements about
resource management.
The presented methodology allows a uni®ed view of scheduling theory and approaches based on timing
analysis of models of real-time applications.
Keywords: modeling real-time systems, scheduler design, controller synthesis, dynamic priorities,
composability
1. Introduction
Schedulers coordinate the execution of system activities, so that requirements about their
temporal behavior are met. Guaranteeing their correctness is essential for the
development of dependable real-time systems. Well established theory and scheduling
algorithms have been successfully applied to real-time systems development. Existing
scheduling theory requires the application to ®t into the mathematical framework of the
schedulability criterion (e.g., all processes are supposed periodic, worst case execution
times are known). Studies to relax such hypotheses have been carried out, but no uni®ed
approach has been proposed so far. To overcome these limitations, an alternative
approach consists in extracting a scheduler from an abstract timed model of a real-time
application by using analysis or synthesis tools (Ben-Abdalla et al., 1999; Bertin et al.,
2000; Henzinger et al., 2001; Jensen et al., 2000; Kwak et al., 1998; Niebert and Yovine,
2000).
The controller synthesis paradigm (Ramadge and Wonham, 1987) provides a general
framework for scheduling. A scheduler can be considered as a controller of the real-time
application which restricts its behavior so that given scheduling requirements are met.
Behavior restriction essentially amounts to resolving non-determinism due to concurrent
access of processes to shared resources.
To apply the controller synthesis paradigm, it is necessary to use a timed model
representing the dynamic behavior of the real-time application. The scheduler for a given
set of scheduling requirements is also a timed system which observes the state of the
application and adequately restricts its behavior by triggering controllable actions that is,
actions giving access to shared resources (see Figure 1). The role of the scheduler consists
precisely in observing the application and maintaining the requirements satis®ed in spite
of ``disturbances'' of the environment and of internal actions of the application, usually
represented by uncontrollable actions, such as process arrival or process termination.
We have shown in (Altisen et al., 1999) how schedulers can be computed by
application of a synthesis method to systems represented by well-timed models that is, to
timed models where time can always progress. For such systems, scheduling
requirements can be characterized as a safety property expressing the fact that a
constraint (state predicate) K always holds. The main result is that there exists a scheduler
maintaining K if there exists a non-empty control invariant K
0
which implies K. The
control invariant K
0
represents the set of the states from which K
0
(and thus K) can be
preserved, in the sense that if the application is initially at a state satisfying K
0
then it is
possible to remain in states of K
0
by triggering controllable actions preserving K
0
, and it is
not possible to violate K
0
by uncontrollable actions.
Control invariants implying a given scheduling constraint K can be computed by
controller synthesis methods (Altisen et al., 1999, 2000; Lin and Wonham, 1988; Maler et
al., 1995; Ramadge and Wonham, 1987). The existence of a non-empty control invariant
is a necessary and suf®cient condition for the existence of a scheduler. The latter can be
constructed from the control invariant and the timed model of the application. A common
limitation of controller synthesis algorithms is their complexity that makes problematic
their application to large systems.
Figure 1. Interactions between the environment, the application and its scheduler.
56 ALTISEN ET AL.
We use the controller synthesis paradigm as a unifying framework for scheduling real-
time applications. According to this paradigm, a scheduler can be speci®ed as a pair
consisting of the timed model of the application to be scheduled and of a constraint K
characterizing scheduling requirements. We study a modeling methodology which, from
such an initial speci®cation allows ®nding a scheduler by circumventing as much as
possible complexity problems. The paper contributes along the following three
directions.
First, it provides a notation and a methodology for modeling the application as a timed
system composed of the processes to be scheduled, their resources and the associated
synchronization constraints. Timing constraints relate in particular process execution
speed with the dynamics of their external environment. For the sake of simplicity, we use
discrete time models. The methodology can be adapted to continuous time models
modulo some additional problems related to well-timedness of descriptions.
The proposed notation uses results presented in Altisen et al. (2000) and allows an
incremental description of the application, starting from its processes and then adding
timing constraints and synchronization constraints associated to the resources. It allows
modeling in a direct manner dynamic priorities and preemption as well as concepts such
as urgency, idling and timeliness. Furthermore, the models are well-timed, by
construction.
Second, the paper shows that scheduling requirements can be characterized as the
invariance of a constraint which is the conjunction of two classes of constraints:
schedulability requirements K
sched
and a ( possibly empty) set of constraints
characterizing a particular scheduling policy K
pol
. K
sched
characterizes the dynamic
properties of the application to be satis®ed by the scheduler, relating execution times,
process arrival times, and deadlines. K
pol
deals with the management of shared resources
and can be decomposed into the conjunction of two ( possibly empty) classes of
constraints: con¯ict resolution constraints K
res
that determine the rules for granting a
resource to con¯icting processes, and admission control constraints K
adm
that determine
when the scheduler considers a non-con¯icting request for a free resource.
Finally, the paper provides conditions under which an incremental modeling
methodology can be applied to get the scheduler. The search for control invariants
implying given scheduling requirements of the form K
sched
6K
pol
is decomposed into two
steps. A ®rst step for computing a scheduler maintains the scheduling policy speci®ed by
K
pol
. This step does not require the application of synthesis algorithms, as K
pol
is shown
to be a control invariant. The second step aims at establishing that the system scheduled
according to K
pol
meets the schedulability requirements K
sched
. This step requires in
general, the application of synthesis or veri®cation techniques that can be carried out by
existing timing analysis tools such as K
RONOS (Daws et al., 1996), UPPAAL (Jensen et al.,
2000), H
YTECH (Henzinger et al., 1997).
The paper is organized as follows. Section 2 presents models and basic results about
controller synthesis that are used throughout the paper. The main results concern control
invariants and their composability properties which play an instrumental role in the
modeling methodology. Section 3 focuses on modeling issues of the real-time
application to be scheduled including modeling of the processes, the associated
timing constraints, and the resource management and synchronization. Section 4
SCHEDULER MODELING BASED ON THE CONTROLLER SYNTHESIS PARADIGM 57
presents a method for specifying scheduling policies and computing the associated
scheduler. The application of the method is illustrated with several examples. Section 5
proposes a method for specifying schedulability requirements and getting a correct
scheduler by using synthesis or veri®cation tools. Section 6 illustrates the method on an
example.
2. Controller Synthesis
2.1. Timed System
To model scheduling algorithms, we use reactive timed systems with two kinds of actions
as in Altisen et al. (1999): controllable actions that can be triggered by the scheduler, and
uncontrollable actions that are internal actions of the processes to be scheduled or actions
of the environment. Controllable actions are typically resource allocations while
uncontrollable actions are process arrival and termination.
Both controllable and uncontrollable actions are subject to timing constraints
expressed in terms of natural variables called timers. The rates of timers may take the
values 0 or 1, as speci®ed by a Boolean vector.
De®nition 2.1 (X-constraint). Let X be a ®nite set of timers, fx
1
; ...; x
m
g, natural
variables de®ned on the set of naturals N {0; 1; 2; ...}. An X-constraint is a predicate C
generated by the grammar C :: x d | x y d | C6C | :C, where x; y [ X; d is an
integer.
De®nition 2.2 (Timed system). A timed system consists of the following:
1. An untimed labeled transition system S; A; T where S is a ®nite set of control states,
A is a ®nite vocabulary of actions partitioned into two sets of controllable and
uncontrollable actions noted A
c
and A
u
, and T(S6A6S is an untimed transition
relation.
2. A ®nite set of timers X fx
1
; ...; x
m
g, as in De®nition 2.1.
3. A function b mapping S into f0; 1g
m
. The image of s [ S by b denoted b
s
is a Boolean
rate vector.
4. A labeling function h mapping untimed transitions of T into timed transitions:
hs; a; s
0
s; a; g; t; r; s
0
, where g is an X-constraint called guard; r(X is a set of
timers to be reset; t[fd; eg is an urgency type, respectively delayable and eager.
Semantics. A timed system de®nes a transition graph v; e constructed as follows.
v S6N
m
, that is, vertices s; x are states of the timed system.
58
ALTISEN ET AL.
The set e(v6 A [N nf0g6v of the edges of the graph is partitioned into three
classes of edges: e
c
controllable, e
u
uncontrollable, and e
t
timed, corresponding
respectively to the case where the label is a controllable action, an uncontrollable action,
and a strictly positive integer.
Given s [ S, let J be the set of indices such that fs; a
j
; s
j
g
j [ J
is the set of all untimed
transitions departing from s. Also, let hs; a
j
; s
j
s; a
j
; g
j
; t
j
; r
j
; s
j
. For all j [ J,
s; x; a
j
; s
j
; xr
j
[ e
c
[ e
u
iff g
j
x holds and xr
j
is the timer valuation obtained
from x when all the timers in r
j
are set to zero and the others are left unchanged.
To de®ne e
t
, we use the predicate j, called time progress function. The notation
js; x; t means that time can progress from state s; x by t.
js; x; t()
^
j [ J
t
j
d ) Vt
0
[ f0; ...; t 1g :g
j
x t
0
b
s
V
g
j
x t
0
1b
s
t
j
e ) Vt
0
[ f0; ...; t 1g :g
j
x t
0
b
s
8
>
<
>
:
where x tb
s
is the valuation obtained from x by increasing by t the timer values for
which b
s
elements are equal to one. We de®ne e
t
such that s; x; t; s; x tb
s
[ e
t
if
and only if js; x; t. The above de®nition means that at control state s, time cannot
progress beyond the falling edge of a delayable guard, or whenever an eager guard is
enabled.
Timed systems are automata extended with time variables as timed or hybrid automata
(Alur et al., 1995; Alur and Dill, 1994) where time variables are real-valued. We prefer
using discrete time variables for the sake of simplicity. The presented approach is also
applicable to dense time models modulo some technical problems related to time density.
Another difference between our model and dense timed and hybrid automata is well-
timedness, that is, time can always progress at a state where no transition is enabled. This
property is crucial for the expression of schedulability requirements as a safety property
(see Section 5).
We will usually denote by TS a timed system. TS
c
(resp. TS
u
) represents the timed
system consisting of the controllable (resp. uncontrollable) transitions of TS only.
Lemma 2.1 If j, j
c
,andj
u
are respectively, the time progress functions of TS, TS
c
,
and TS
u
, then j j
c
6j
u
.
Example 2.1 (A basic process). Figure 2 represents as a timed system a periodic
process P of period T, execution time E, and deadline of D05E D T.
The timed system has three control states, s, w, and u where P is respectively, sleeping,
waiting and executing. The actions a, b, and e stand for arrive, begin, and end. The timer
x is used to measure execution time while the timer t measures the time elapsed since
process arrival. In all states, both timers progress. The only controllable action is b.
By convention, transition labels are of the form a
y
; g
t
; r, where y can be u
(uncontrollable) or c (controllable), t is an urgency type, and r is a set of timers to be
reset. The upperscript c may be omitted, as well as the set r if it is empty.
SCHEDULER MODELING BASED ON THE CONTROLLER SYNTHESIS PARADIGM 59