A
+
=
P C
def
=
4/13/02 ETAPS 2002 25
Constant and Nil
P C
def
= C is a constant that
represents the process
algebra expression P
P = NIL
P does nothing
4/13/02 ETAPS 2002 26
Prefix Operators
P performs timed
action A and then
behaves as Q
P = A:Q
P = (a,n).Q
P performs event
(a,n) and then
behaves as Q
EXAMPLE
Operator ). 1 , hangup ( : )} 2 , phone {( = Talk
Talk ). 1 , pickup ).( 1 , ring ( = Operator
def
4/13/02 ETAPS 2002 27
Choice
P can choose
nondeterministically
to behave like Q or R
P = Q+R
EXAMPLE
' ' ). 1 , (
' ). 1 , (
CAR goright
CAR goleft CAR
def
+
=
4/13/02 ETAPS 2002 28
Parallel Composition
P is composed by Q and R
that may synchronize on
events and must synchronize
on timed actions
P = Q  R
EXAMPLE
Caller Operator Converse
Caller hangup
phone ring Caller
Operator hangup
phone ring Operator
def
def
def

). 1 , ! ( :
)} 3 , ' ).{( 2 , ! (
). 1 ?, ( :
)} 2 , ).{( 1 ?, (
=
=
=
4/13/02 ETAPS 2002 29
Scope
Q may execute for at most t
time units. If message a is
produced, control is delegated
to R, else control is delegated to
S. At any time T may interrupt.
) T , S , R ( Q = P
a
t
def
A
EXAMPLE
NIL !. finish + Run : )} 1 , run {( = Run
) rk BeepedToWo
GoToWork,
, e GoForCoffe ( Run = Runner
def
finish
10
def
A
4/13/02 ETAPS 2002 30
Hiding/Restriction
P behaves just as Q but
resources in I are no longer
visible to the environment
P = [Q]
I
EXAMPLE
phone
] Home [  PayPhone  Caller
P = Q\F
P behaves just as Q but
labels in F are no longer
visible to the environment
4/13/02 ETAPS 2002 31
ACSR semantics
Gives an unambiguous meaning to language expressions.
Semantics is operational, given by a set of semantic
rules.
Example of a labeled transition system:
P P P P P
IC
0 1 2 3 4
C
N C gate, train gate, train
...
{ } { }
ACSR
specification
Semantic
rules
Labeled
transition
system
4/13/02 ETAPS 2002 32
ACSR semantics
Twolevel semantics:
A collection of inference rules gives the unprioritized
transition relation
A preemption relation on actions and events disables
some of the transitions, giving a prioritized transition
relation
P P
'
o
P P
'
t
o
4/13/02 ETAPS 2002 33
Unprioritized transition relation
( )
( )
P P p a
p a
,
: ,
ActI
P P A
A
:
ActT
Prefix operators
P Q P
P P
' +
'
o
o
ChoiceL
Choice
( )
( )
Q P Q P
P P
p a
p a
 
,
,
'
'
ParIL
Parallel
4/13/02 ETAPS 2002 34
Unprioritized transition relation (II)
( ) ( ) C =
' '
' '
2 1
 
2 1
2 1
A A
Q P Q P
Q Q P P
A A
A A
ParT
Resourceconstrained execution
( ) ( )
( )
Q P Q P
Q Q P P
p p
p a p a
' '
' '
+
 
2 1
2 1
,
, ! ?,
t
ParCom
Prioritybased communication
( ) { }
1 2
 0 ,
] [ ] [
2 1
1
A I r r A
P P
P P
I
A A
I
A
e =
'
'
CloseT
Resource closure
4/13/02 ETAPS 2002 35
Examples
Resource conflict
Processes must provide for preemption
Unprioritized transitions:
Q r Q ' = : )} 2 , {( NIL Q P ~  P r P ' = : )} 1 , {(
P P r P : : )} 1 , {( C + ' = Q Q r Q : : )} 2 , {( C +
'
=
Q P 
Q P  ' Q P ' 
C
)} 1 , {(r
)} 2 , {(r
4/13/02 ETAPS 2002 36
Unprioritized transition relation (III)
) 0 (
) , , ( ) , , (
1
>
A
'
A
'
t
S R Q P S R Q P
P P
a
t
A a
t
A
ScopeCT
) 0 (
) , , (
) , (
) , (
>
A
'
t
Q S R Q P
P P
n a
t
n a
t
ScopeE
) 0 , ) ( (
) , , ( ) , , (
> =
A
'
A
'
t a e l
S R Q P S R Q P
P P
a
t
e a
t
e
ScopeCI
) 0 (
) , , (
=
'
A
'
t
R S R Q P
R R
a
t
o
o
ScopeT
) 0 (
) , , (
>
'
A
'
t
S S R Q P
S S
a
t
o
o
ScopeI
4/13/02 ETAPS 2002 37
Example
A Scheduler
Sched Sched :  =
) . , . , ( ). 1 , (
_____
max
Sched rc Sched kill NIL tc
y
t
A +

(...) : . . . (...) : (...) :
0
(tc,1)
1 max max
y y
t
y
t
Sched A A A
  
  
C
Sched
rc
Sched
rc
kill
Sched
4/13/02 ETAPS 2002 38
Preemption relation
 o
To take priorities into account in the semantics we
define the relation o is preempted by  :
) ( ) ( ), (  t o t o
r r
r s e
) ( ) ( ), (  t o t 
r r
r < e 
)} 5 , ( ), 7 , {( )} 5 , ( ), 3 , {(
2 1 2 1
r r r r
) ( ) ( o  _
An action o preempts action  iff
no lower priorities:
some higher priorities:
it contains fewer resources
e.g.
) 1 , ( )} 4 , {( t r
An event preempts an action iff
t with nonzero priority preempts all
actions e.g.
) 3 , ! ( ) 1 , ! ( a a
An event preempts another event iff
same label, higher priority e.g.
4/13/02 ETAPS 2002 39
Prioritized transition relation
We define
when
there is an unprioritized transition
there is no such that
Compositional
P P
'
t
o
P P
'
o
P P
' '

 o
4/13/02 ETAPS 2002 40
Example
Unprioritized and prioritized transitions:
P P r P : : )} 1 , {( C + ' =
Q Q r Q : : )} 2 , {( C +
'
=
Q P 
Q P  ' Q P ' 
C
)} 1 , {(r
)} 2 , {(r
Q P 
Q P ' 
C
)} 2 , {(r
t
t
4/13/02 ETAPS 2002 41
Example (cont.)
Resource closure enforces progress
 
} {

r
Q P
 
} {

r
Q P'
 
} {

r
Q P '
)} 1 , {(r
)} 2 , {(r
)} 2 , {(r
t
)} 0 , {(r
 
} {

r
Q P
 
} {

r
Q P '
4/13/02 ETAPS 2002 42
This requirement was captured formally through
the notion of bisimulation, a binary relation on
the states of systems.
Observational equivalence is based on the idea
that two equivalent systems exhibit the same
behavior at their interfaces with the environment.
Two states are bisimilar if for each single
computational step of the one there exists an
appropriate matching (multiple) step of the other,
leading to bisimilar states.
A
a
B
A
C
E D
C D
B
a
b
c
c b
a
Bisimulation
4/13/02 ETAPS 2002 43
Prioritized strong equivalence
An equivalence relation is congruence when it is
preserved by all the operators of the language.
This implies that replacement of equivalent
components in any complex system leads to equivalent
behavior.
Strong bisimulation over is a congruence
relation with respect to the ACSR operators.
P P
'
t
o
4/13/02 ETAPS 2002 44
Equational Laws
Equational laws are a set of axioms on the syntactic
level of the language that characterize the
equivalence relation.
They may be used for manipulating complex systems
at the level of their syntactic (ACSR) description.
There is a set of laws that is complete for finite state
ACSR processes:
...
) R  Q (  P = R  ) Q  P ( P + Q = Q + P
NIL = P + P P = NIL + P
4/13/02 ETAPS 2002 45
Fixedpriority scheduling in ACSR
A set of I tasks with periods p
i
and execution times e
i
,
sharing the same CPU (resource cpu), where deadline
equals period:
each task receives the start signal from the
scheduler and begins executing
in each step, the task uses the resource cpu or idles
if preempted
Priority of CPU access is based on the process index
Task
i
= (start?,0) . P
i,0
+ C : Task
i
i = {1,,I}
P
i,j
= j < e
i
( C : P
i,j
+ {(cpu,i)} : P
i,j+1
)
+ j= e
i
Task
i
i = {1,,I}
j = {0, e
i
}
4/13/02 ETAPS 2002 46
Scheduling and checking deadlines
Each task is controlled by an actuator process
(intuitively, a part of the scheduler)
Starts execution of a task by sending start
Keeps track of deadlines
a task can accept start only after it completes execution in
the previous period
Actuator
i
= (start
i
!, i). A
i,0
i = {1,2}
A
i,k
= k < p
i
C : A
i,k+1
+ k = p
i
Actuator
i
i = {1,2}, k = {0,p
i
}
Job
i
= (Task
i
Actuator
i
)\start
i
4/13/02 ETAPS 2002 47
Ratemonotonic scheduling
Order the task processes according to their periods
tasks with higher rates have higher indices and thus
higher priorities
Compose the task processes and analyze for deadlock
the collection of tasks is schedulable iff there is no
deadlock
RM = (Job
1
Job
n
)[cpu]
4/13/02 ETAPS 2002 48
Dynamicpriority scheduling
Unlike fixedpriority scheduling, such as RM, the
priority of a task changes with time
Earliest Deadline First (EDF) scheduling: priority of a
task increases as it nears its deadline:
i
= d
max
(p
i
t) d
max
= max(p
1
,,p
n
)
An EDF task:
Task
i
= (start?,0) . P
i,0,0
+ C : Task
i,
i = {1,,I}
P
i,j,t
= j < e
i
( C : P
i,j,t+1
+ {(cpu, d
max
(p
i
t))} : P
i,j+1,t+1
)
+ j= e
i
Task
i
i = {1,,I}
j = {0, e
i
}
t = {0, p
i
}
4/13/02 ETAPS 2002 49
Probabilistic ACSR
for soft realtime scheduling
analysis
4/13/02 ETAPS 2002 50
PACSR (Probabilistic ACSR)
ACSR extension for probabilistic behaviors.
Objective :
formally describe behavioral variations in systems that
arise due to failures in physical devices.
Since failing devices are modeled by resources we
associate a failure probability p(r) with every
resource r
at any time unit, r is down with probability p(r) or up
with probability 1p(r)
failures are assumed to be independent
4/13/02 ETAPS 2002 51
Syntax for PACSR processes
Similar to ACSR
Process terms
Process names
Distinction: For all resources r we write for the
failed occurrence of resource r. Thus, an action can
specify access to failed resources.
C P b F P P S R Q P
P P P P P n a P A NIL P
I
a
t
  \  ] [  ) , , ( 
   ). , (  :  ::
A
+ =
P C
def
=
r
4/13/02 ETAPS 2002 52
EXAMPLE
PlaceCall phone : )} 1 , {(
Resource failures and recoveries
An action containing resource r cannot be taken when
r is failed, i.e.,
Failed resources:
Recoveries are modeled by using failed resources in
actions
NIL P A A r r = e : ) ( failed, is
) ( 1 ) ( , r r r pr pr =
e UsePayPhon phone : )} 1 , {( +
4/13/02 ETAPS 2002 53
PACSR Semantics
Semantics of a PACSR process is given in terms of
probabilistic transition systems: some transitions are
labeled with probabilities and others with
actions/events.
Labeled Concurrent Markov Chain (LCMC)
t
t
a
c
1/2
1/2
1/3
2/3
b
d
4/13/02 ETAPS 2002 54
PACSR Semantics
Configurations are pairs of the form (P,W), where
P is a PACSR process, and
W is a world capturing the state of resources as follows
A configuration (P,W) is characterized as
Probabilistic, if P requires resources whose state is not in W.
Example: ( {r
1
,1}:Q , {r
2
} )
Nondeterministic, if all resource information required by P is
in W.
Example: ( (a,1):NIL , C )
W r W r r W r W r r e e e e , and ,
4/13/02 ETAPS 2002 55
PACSR semantics (II)
The semantics is given via a pair of transition
relations:
Probabilistic transition relation,
Nondeterministic transition relation,
Let imr(P) be resources that can be used in the first
step:
{ } ) ( , '  A r P P r
A
e
) ' , ( ) , ( W P W P p
pr
) , ( ) , ( W Q W P
o
4/13/02 ETAPS 2002 56
Operational semantics
W A
P W P A
A
_
C
) (
) , ( ) , : (
ActT
The nondeterministic transition relation is taken from ACSR,
with one exception:
) , ( ) , (
) ( ), ( ) ( ,
2
) (
1 2 1
2
Z W P W P
Z Z W W P Z S P
p
Z pr
p
e = e W imr
The probabilistic transition relation is as follows:
)} , ( ),
__
, ( ), ,
__
( ),
__
,
__
{( })
__
, ({
2 1 2 1 2 1 2 1 2 1
r r r r r r r r r r W =
W(Z) is a set of all possible scenarios of resources; e.g.,
4/13/02 ETAPS 2002 57
Let , pr(r
1
) = and pr(r
2
) = 1/3.
Then imr(P) = {r
1
,r
2
} and W({r
1
,r
2
})={{r
1
,r
2
}, {r
1
,r
2
}, {r
1
,r
2
}, {r
1
,r
2
} }
Thus by the probabilistic transition relation
Example
}) , { , ( ) , ( }) , { , ( ) , (
}) , { , ( ) , ( }) , { , ( ) , (
__
2
__
1
3 / 1
__
2 1
3 / 1
2
__
1
6 / 1
2 1
6 / 1
r r P P r r P P
r r P P r r P P
p p
p p
 
 
Q r r P : )} 3 , ( ), 2 , {(
__
2 1
=
)} , { , (
) , ( }) , { , ( }) , { , (
}) , { , (
__
2
__
1
)} 3 , ( ), 2 , {(
__
2 1 2
__
1
2 1
__
2 1
r r P
Q r r P r r P
r r P
r r

and by the nondeterministic transition relation
4/13/02 ETAPS 2002 58
Example: A faulty channel
where pr(ch) = 0.99
} ch { \ ) FCh }. ch { +
FCh . ! out : } ch .({ in +
FCh : = FCh 
ch
in
out
) , (  FCh
_____
out
) , (  P
in
}) { , ( ch P
}) { , ( ch P
0.99
0.01
) , . (
_____
 FCh out



4/13/02 ETAPS 2002 59
Model Checking
In order to analyze PACSR specifications we may want
to check whether a specification satisfies a property
written as a logical formula.
We use a probabilistic HML with an until operator
The until operator is parameterized with regular
expressions over event names.
Syntax
where u is a regular expression over actions and e
e{s,>}
'  '  '   :: f f f f f f f tt f
t
p p e e
u u . =
4/13/02 ETAPS 2002 60
The until operator
'  f f P
t
q s
u =
There is some execution with
probability s q for which f holds until
f becomes true within time t and
observable behavior from
EXAMPLE
true hangup } wait , talk { true
20
01 . 0
*
the probability that within 20 time units
after any number of talk and wait actions
action hangup arises is s 0.01
4/13/02 ETAPS 2002 61
Resolving nondeterminism
Analysis involves computing the probability of reaching a set of
desired states (within a time period) via an acceptable set of
behaviors.
Example:
What is the probability that event head takes place?
Such probability depends on how the nondeterminism of s is
resolved.
t
t
head
tail
1/2
1/2
1/3
2/3
s
4/13/02 ETAPS 2002 62
Model Checking
Schedulers are used for resolving nondeterminism. These are
functions that given a computation ending in a nondeterministic
state choose the next transition to take place.
Given a scheduler o of a system P, sets of states A and B, and a
regular expression u, we may compute probabilities
So for example:
'  f f P
t
q s
u =
iff there is scheduler o such that
q > Pr
A
(P B, u, t, o)
where A = { P  P = f },
B = { P  P = f }
Pr
A
(P B, u, t, o), the probability of reaching a state in B,
passing only via states in A, via paths with observable
content in u, and within t time units
4/13/02 ETAPS 2002 63
Equivalence Relations
New notions of equivalence for the LCMC model taking account
both action types and probabilities.
In particular two LCMCs are strongly bisimilar if
1. they reach sets of bisimilar states with the same
probability, and
2. for each nondeterministic step of one there exists a step of
the other leading to bisimilar states.
1
s
2
s
1
t
2
t
3
t
4
t
1
u
3
u 2
u
2
v
1
v
s u
v
1
a
b
b
a
a
a b
b
~
~
4/13/02 ETAPS 2002 64
Equivalence Relations
There is a set of laws that completely axiomatizes
strong bisimulation for PACSR processes.
Other equivalence notions include weak bisimulation
which relates systems that have the same observable
behavior, that is, it ignores actions.
4/13/02 ETAPS 2002 65
A Telecommunication Application
Based on the specification of a switching system
considered in AJK97.
The system consists of a number of concurrent
processes with realtime constraints.
Probabilistic behavior is present in the form of
probabilistic arrival of alarms, and
uncertain execution times of processes.
4/13/02 ETAPS 2002 66
Env
BP
out in
Sched
kill
kill
tc tc
rc
rc
a
AS AH
Example: A Telecommunication Application
4/13/02 ETAPS 2002 67
PACSR Specification
I F BP AH
AS Sched B Env Sys
\ \ \ )  
 :   (
0
 =
The system in its
initial state: a parallel
composition of all the
components
i i
i i i i i i
i n i
Q NIL a Q
Q P r P r P
P Env
: :
)  ( : } { : } {
__
__
1
 + =
+ =
H =
s s
The environment provides
probabilistic alarms: at the
failure of any of resources
r
i
an alarm is sent via
channel a
The System
The environment
4/13/02 ETAPS 2002 68
PACSR Specification
Background Process
The Scheduler
} \{ \ ) . : } { ' : } ({ '
: ) . , , ( ' ). 0 , (
___ __
___
r BP rc r BP r BP
BP BP kill NIL NIL BP tc BP
h
+ =
+ A =

) . , . , ( ). 1 , (
_____
max
Sched rc Sched kill NIL tc
y
t
A +

Sched Sched :  =
The background process
competes for processor
time managed by the
scheduler. Its duration is
geometrically distributed.
4/13/02 ETAPS 2002 69
The buffer
The Alarm Samper and the Alarm Handler
n
n
n j n j n i n
i
i
i j i j j i i i
B out B B d NIL overf low in B
B out B B d B in B
B B in B
. : . . .
. : . .
: .
____
1
____
1 1
0 1 0
+ + E + =
+ + E + =
+ =
s s
s s +



PACSR Specification
AH rc d AH NIL rc AS in a AS
AH AH tc AH AS AS tc AS
AH AH out AH AS AS AS
i
i pt A
i
A
i i
i n i i
p
. . : . : ' ' . . ' '
: ). 2 , ( ' : ' ' ). 2 , ( '
: . ) : (  '
__ __
) (
__ ___
__ __
) (
 
 
 
= + =
+ = + =
+ E = =
4/13/02 ETAPS 2002 70
Two configurations
Consider two versions of the system:
S
1
with
Possibility of 1 alarm per time unit,
Buffer size of 3
Capability of processing 2 alarms per time unit, and
S
2
with
Possibility of 2 alarms per time unit
Buffer size of 6
Capability of processing 4 alarms per time unit
Comparison criterion: What is the probability of
overflow in the alarm buffer?
4/13/02 ETAPS 2002 71
Checking f = tt(overflow)
t
sq
tt
T(time units) S
1
S
2
10 2x10
6
3x10
10
20 5x10
6
6x10
10
30 9x10
6
1.0x10
9
40 1.2x10
5
1.3x10
9
50 1.5x10
5
1.6x10
9
60 1.9x10
5
2.1x10
9
70 2.2x10
5
2.4x10
9
80 2.5x10
5
2.8x10
9
90 2.9x10
5
3.1x10
9
100 3.2x10
5
3.5x10
9
The table
shows for
various values
of t, the
probability q
that makes
property f true
for each of the
systems.
4/13/02 ETAPS 2002 72
P
2
ACSR A poweraware extension of PACSR
A unified framework for modeling and analyzing poweraware
realtime systems.
We associate a further attribute to resource usage, that of
power consumption.
The syntax remains the same, except that actions are tuples of
the form (r,p,c), where r is the resource, p is the priority level
and c the power consumption of the resource usage.
EXAMPLE
2
1
: )} 3 , 1 , {(
+
: )} 0 , 1 , {(
Call cellphone
Call phone
4/13/02 ETAPS 2002 73
P
2
ACSR
Semantics is given similarly to PACSR, as a LCMC.
We can use various techniques to perform various
analyses on P
2
ACSR models including:
Model checking
We may express temporal logic properties involving
power consumption bounds and check that they are
satisfied by P
2
ACSR processes.
Probabilistic bounds on power consumption
We may compute the probability that power
consumption exceeds certain limits.
Average power consumption
We may compute the average power consumption during
intervals of interest.
4/13/02 ETAPS 2002 74
Dynamic Voltage Scaling
Dynamic voltage scaling is a technique proposed for
making energy savings by dynamically altering the
power consumed by a processor.
Lower frequency execution implies longer processing
of tasks.
This may lead to violation of realtime constraints.
[Pillai and Shin 01] propose extensions to realtime
scheduling algorithms to make use of dynamic voltage
scaling.
4/13/02 ETAPS 2002 75
Task
i
= (start?,0) . Exec
i,0,0
+ C : Task
i
i = {1,,I}
Exec
i,e,t
= e < c
i
( C : Exec
i,e,t+1
+ {(cpu, dmax(p
i
t)) } : Exec
i,e+1,t+1
+ e = c
i
Task
i
i = {1,,I}
e= {0,, c
i
}
t = {0,, c
i
}
PowerAware RealTime Scheduling
Let I be a set of tasks with periods p
i
and worstcase execution
times c
i
, sharing the same CPU.
In reality tasks often take much less time to execute.
This probabilistic execution time may be modeled in PACSR as
follows:
potential for early
termination (geometric
distribution)
,(cont,1)
+{(cpu,dmax(p
i
t)),(cont,1))} : Task
i
)
4/13/02 ETAPS 2002 76
PowerAware RealTime Scheduling
The algorithm of [Pillai and Shin] takes advantage of the
possibility of early termination of a task by then executing the
next task at the lowest possible frequency.
Specifically, on every release or completion of a task it re
computes the sum
where is the computation time of the last execution of
task i or c
i
if task i has just been released.
Based on this value it decides the lowest frequency that is
consistent with the current effective utilization.
n
last
n
last
p
c
p
c
+ ... + =
1
1
o
last
i
c
4/13/02 ETAPS 2002 77
Task
i
= (start
i
?,0) . (release
i
!, i). Exec
i,0,0
+ C : Task
i
i = {1,,I}
Exec
i,e,t
= e < c
i
((fast? , i) ( C : Exec
i,e,t+1
+ {(cpu, dmax(p
i
t)),(cont,1)} : Exec
i,e+1,t+1
+ {(cpu, dmax(p
i
t)), (cont,1)} : (end
i,e+1
!,i). Task
i
)
+ (slow? , i) ( C : Exec
i,e,t+1
+ {(cpu, dmax(p
i
t)),(cont,1)} :
({(cpu, dmax(p
i
t)),(cont,1)} : Exec
i,e+1,t+2
+ {(cpu, dmax(p
i
t)), (cont,1)} : (end
i,e+1
!,i). Task
i
)
+ e = c
i
Task
i
PowerAware RealTime Scheduling
First we extend the model of a task with the ability of executing
slower or faster. It responds to messages fast and slow. In the
slow mode a computation step takes twice as long, i.e two time
units. It also signals its release when execution commences and
its completion time when it completes.
4/13/02 ETAPS 2002 78
PowerAware RealTime Scheduling
The DVS algorithm is represented as the P
2
ACSR process:
Scale responds to release and completion signals and triggers the
recomputation of
} , { \ ) Proc  ( =
3
,
2
,
1
down up fast c c c
f f Scale DVS
... +
). 0 ?, ( +
). 0 ?, ( +
... +
). 0 ?, ( +
). 0 ?, ( +
). 0 ?, ( =
3 1
3 2
3 2 1
3 2 1
3 2 1 3 2 1
, , , 2
, , , 1
, , 3
, , 2
, , 1 , ,
e c e c
e e c c
c e e
e c e
e e c e e e
SetNew end
SetNew end
SetNew release
SetNew release
SetNew release Scale
o
4/13/02 ETAPS 2002 79
SetNew decides the lowest frequency to the current effective
utilization and sends the appropriate signal
SetNew
e1,e2,e3
= e
1
/p
1
+ e
2
/p
2
+ e
3
/p
3
< (f
down
!,4). Scale
e1,e2,e3
+
e
1
/p
1
+ e
2
/p
2
+ e
3
/p
3
> (f
up
!,4). Scale
e1,e2,e3
DVS
fast
and DVS
slow
describe the processor operating in the high
and low frequency, respectively
DVS
fast
={(power,1,pw
fast
)}:DVS
fast
+ (fast!,1).DVS
fast
+(f
down
?,0).DVS
slow
+ (f
up
?,0).DVS
fast
DVS
slow
={(power,1,pw
slow
)}:DVS
slow
+ (slow!,1).DVS
slow
+(f
down
?,0).DVS
slow
+ (f
up
?,0).DVS
fast
PowerAware RealTime Scheduling
4/13/02 ETAPS 2002 80
Analysis of DVS
We considered the following set of tasks:
The algorithm guarantees the task set remains schedulable.
We computed the expected power consumption for one major
frame (t=p
1
p
2
p
3
) for pr(cont)=1/3 and pw
fast
=2, pw
slow
=1.
Task Execution time Period
1 3 8
2 3 10
3 1 14
With DVS minimum power consumption = 1906.66
and maximum power consumption = 1922.65
Without DVS power consumption = 2240
Thus expected savings between 14% and 14.8%.
4/13/02 ETAPS 2002 81
Current work
Logical characterization of probabilistic weak
bisimulation
Ordering relations for comparing power consumption
of protocols
Prototype toolset (underway), extend with
Model checking
Longterm averages computation
compute performance properties such as task throughput or
average latency
4/13/02 ETAPS 2002 82
ACSRVP
for design synthesis and
parametric analysis
4/13/02 ETAPS 2002 83
Example: A Starttime Assignment Problem
Starttime Assignment Problem with Interjob Temporal
Constraints
The order of execution of job is not known
Goal is to statically determine the range of start times for each
job so that jobs are schedulable and all interjob temporal
constraints are satisfied.
J ob
1
s
1
s
1
+e
1
J ob
2
s
2
s
2
+e
2
[ 4,7 ] [ 3,4 ]
s 25
> 14
s 10 s 12
4/13/02 ETAPS 2002 84
ACSRVP (ACSR With Valuepassing)
Extends ACSR with
variables: (a?x,1).(c!x,1)...
value passing communications: (c!7,1)  (c?x,1)...
parameterized processes: P(x) = (x > 1) (a!x,1).nil
Priorities can be specified using expressions
timed actions: {(data, y+1)}
instantaneous events: (signal!8, x+3)
Syntax
P
A
S
C
::=
::=
::=
::=
::=
NI L  a . P  A : P  P +P  P  P
b P  P \ F  [ P ]
I
 C
(t, e)  (c?x, e)  (c!e
1
, e
2
)
C  { S }
(r, e)  (r, e), S
X  X( v )
a
4/13/02 ETAPS 2002 85
Symbolic Graph With Assignment (SGA)
P(x) = (a!x,1).Q(x)
Q(y) = (y s 0) (b!y,1).Q(y+1)
+ (y > 0) (a!y1,1).Q(y1)
P(0) (a!0,1).(b!0,1).(a!0,1)
Q(y)
P(0)
true
(a!0,1)
y := 0
y s 0
(b!y,1)
y := y+1
y > 0
(a!y1,1)
y := y1
SGA is a directed graph with edges labeled with b,o, and u, where b is
a Boolean condition, o is an action, and u is an assignment.
We use SGA to capture the semantics of ACSRVP
4/13/02 ETAPS 2002 86
P(x) = (x < 0) (b!x,1).nil
+ (x > 0) (a!x+1,1).nil
Q(y) = (a!y,1).nil
P(x)
x > 0
(a!x+1,1)
I d
x < 0
(b!x,1)
I d
Q(y)
true
(a!y,1)
I d
Symbolic Bisimulation (Informal Description)
X
PQ
(x,y) = (x < 0 false)
. (x > 0 (true . x+1 = y))
. (true (x > 0 . y = x+1))
~
x > 0 . x+1=y
4/13/02 ETAPS 2002 87
Suppose we have an ACSRVP term System (0,s
1
,s
2
) that model a real
time system or a scheduling problem. We generate the Symbolic Graph
with Assignment for System (0,s
1
,s
2
)
SGA of
System (0,s
1
,s
2
)
Idle
C
Schedulability Analysis Using Symbolic
Bisimulation
Given two SGAs, we can apply
the symbolic weak bisimulation
algorithm to check the
equivalence of System (0,s
1
,s
2
)
and thr idle process C
, which
never deadlocks
That is, finding a condition that
makes a system schedulable is
equivalent to finding a
symbolic bisimulation relation
with a nonblocking process
~
b
4/13/02 ETAPS 2002 88
ACSRVP approach
Provides a formal framework for modeling realtime systems, especially
for realtime scheduling problems such as
Priority Assignment Problem
Execution Synchronization Problem
Starttime assignment problem
Period assignment problem
Deals with unknown parameters in the problems rather than yes/no
answer ( i.e., parametric approach )
Provides a fully automatic method for the analysis of realtime
scheduling problems
Takes advantages of existing techniques such as integer programming
and BDD
4/13/02 ETAPS 2002 89
Overview of General Approach
Constraint Logic Programming or Theorem Prover
Solution Space (Ranges of Free Variables)
System Described
in ACSRVP
Nonblocking Process
in ACSRVP
Symbolic Weak Bisimulation
Predicate Equations with Free Variables
SGA SGA
4/13/02 ETAPS 2002 90
Example: Starttime Assignment Problem
Starttime Assignment Problem with Interjob Temporal
Constraints
Goal is to statically determine the range of start times for each
job so that jobs are schedulable and all interjob temporal
constraints are satisfied.
J ob
1
s
1
s
1
+e
1
J ob
2
s
2
s
2
+e
2
[ 4,7 ] [ 3,4 ]
s 25
> 14
s 10 s 12
4/13/02 ETAPS 2002 91
J ob
i
(t,s) =( t <s ) C : J ob
i
(t+1,s)
+( t =s ) (Start!,1).Job
i
(0,t,s)
Modeling With ACSRVP
The following fragments of ACSRVP describe the start time assignment
problem with interjob temporal constraints
Job
i
(e,t,s) =( e <e
i

) {(cpu,1)}: Job
i
(e+1,t+1,s)
+( e =e
i

) Job
i
(e,t,s)
Job
i
(e,t,s) =( e <e
i
+
) {(cpu,1)}: Job
i
(e+1,t+1,s)
+( e s e
i
+
) (Finished!,1).I dle
Constraint(t) =(start?,1).Constraint
1
(t) +C : Constraint(t+1)
Constraint
1
(t) =(Finished?,1).Constraint
2
(t) +C : Constraint
1
(t+1)
System(s
1
,,s
n
) =(J ob
1
(0,s
1
) Job
n
(0,s
n
)Constraint(0))\{Start,Finished}
Constraint
2
(t) =( t s 12 ) Constraint
3
(t,0)
Constraint
3
(t) =
4/13/02 ETAPS 2002 92
X
0
( t, s
1
, s
2
) =( t s 5 . t <s
2
) X
1
( t+1, s
1
, s
2
)
. ( t s 5 . t =s
1
) X
2
( 0, t+5, s
2
)
. ( ( t s 5 . t <s
1
. X
1
( t+1, s
1
, s
2
) )
v ( t <5 . t =s
1
. X
2
( 0, t+5, s
2
) ) )
X
1
( t, s
1
, s
2
) = X
2
X
2
( e, s
1
, s
2
) = X
1
Predicate Equations
The following fragments of predicate equations are generated
from the symbolic weak bisimulation algorithm with the infinite
idle process
To get the values of s
1
and s
2
, we can ask
a query X
0
( 0,s
1
,s
2
)
4/13/02 ETAPS 2002 93
Solution Space
The solutions to the predicate equations can be
obtained using linear/integer programming techniques,
constraint logic programming techniques, or a theorem
prover.
The solutions for the previous example are:
Start time S
1
Start time S
2
3 4 4 5 5
14 14 15 14 15
5
16
4/13/02 ETAPS 2002 94
An Automatic Approach
The disadvantage of symbolic weak bisimulation is that it requires to add
new t edges into SGA. This will increase the size of predicate equations
The disadvantage of CLP is that there is no guarantee that it terminates
Reachability Analysis: Finding a condition that makes a system
schedulable is equivalent to finding a condition that guarantees there is
always a cycle in an SGA regardless of a path taken
No need to add new t edges
Restricted ACSRVP
Give syntactic restriction to identify a decidable subset of ACSRVP
Control Variable : in finite range; Values can be changed
Data Variable : could be in infinite range; Values cannot be changed
P(x:0..100,y) = (x<0 . x+y>10) C:Q(x+3, y)
Generate a boolean expression or boolean equations (i.e., no need to use CLP)
4/13/02 ETAPS 2002 95
Conclusions: resources
We have presented a family of resourcebound
processalgebraic formalisms
the notion of a resource plays central role
Abstractions of physical resources
Resource sharing: coordination and synchronization
Resource consumption takes time: realtime behavior
Resource failures: probabilistic behavior
Sample application domain: analysis of scheduling
problems
Other domains: protocol analysis, rapid prototyping
4/13/02 ETAPS 2002 96
Conclusions: analysis techniques
Analysis of safety properties by means of deadlock
detection
Conformance analysis by means of equivalence and
preorder checking
Probabilistic analysis techniques:
Model checking
Resource utilization
Parametric analysis in ACSRVP
4/13/02 ETAPS 2002 97
Extensions
Presented: serially reusable resources with access
constraints
Other types of resources:
Consumable resources: each resource use depletes
resource stock
Multicapacity resources: allow simultaneous access by a
limited number of processes
Other kinds of resource constraints:
nonfunctional constraints such as memory, power
consumption, weight, etc.
4/13/02 ETAPS 2002 98
Thanks
for invitation to ETAPS 2002
for fundamental work done by my former Ph.D.
students:
Amy Zwarico
Rich Gerber
Patrice BremondGregoire
Hanene BenAbdallah
Duncan Clark
Hee Hwan Kwak
for generous support from ARO, NSF, ONR over a
number of years
4/13/02 ETAPS 2002 99
Q & A