Page 127 - DCAP103_Principle of operating system
P. 127
Principles of Operating Systems
Notes the new thread each get 30% of the processor time, but critical Thread B’s 40% remains inviolate.
Thread A can create many confederate threads without affecting the ability of Thread B to get
its work done; Thread B’s processor reservation is thus guaranteed. A scheduler that provides
this kind of guaranteed resource availability in addition to the standard scheduling techniques
is required in some critical embedded systems, particularly avionics.
Figure 4.5: Traditional Scheduler vs. Scheduler with Weights
Traditional Scheduler
ThreadBisstarved
Thread A'
Thread A Thread B
Thread A'' Thread B
Scheduler Using Weights
ThreadB CPU resource is guaranteed
Thread A'
Thread A Thread B Thread B
Thread A''
The problem inherent in all schedulers is that they are ignorant of the process in which threads
reside. Continuing our previous example, suppose that Thread A executes in a user interface
process while critical Thread B executes in a flight control process. The two applications
are partitioned and protected in the space domain, but not in the time domain. Designers
of safety-critical systems require the ability to guarantee that the run-time characteristics of
the user interface cannot possibly affect the run-time characteristics of the flight control
system. Thread schedulers simply cannot make this guarantee. Consider a situation
in which Thread B normally gets all the runtime it needs by making it higher priority
than Thread A or any of the other threads in the user interface. Due to a bug or poor
design or improper testing, Thread B may lower its own priority (the ability to do so
is available in practically all kernels), causing the thread in the user interface to gain
control of the processor. Similarly, Thread A may raise its priority above the priority of
Thread B with the same effect.
A convenient way to guarantee that the threads in processes of different criticality cannot
affect each other is to provide a process-level scheduler. Designers of safety critical software
have noted this requirement for a long time. The process, or partition, scheduling concept is a
major part of ARINC Specification 653, an Avionics Application Software Standard Interface.
The ARINC 653 partition scheduler runs partitions, or processes, according to a timeline
established by the system designer. Each process is provided one or more windows of execution
within the repeating timeline. During each window, all the threads in the other processes are
not runnable; only the threads within the currently active process are runnable (and typically
are scheduled according to the standard thread scheduling rules). When the flight control
application’s window is active, its processing resource is guaranteed; a user interface application
cannot run and take away processing time from the critical application during this window.
120 LOVELY PROFESSIONAL UNIVERSITY
