Deriving Monitoring Bounds for Distributed Real-Time Systems · 11 July 2012 | Moritz Neukirchner |...
25
Platzhalter für Bild, Bild auf Titelfolie hinter das Logo einsetzen Moritz Neukirchner, Steffen Stein, Rolf Ernst – TU Braunschweig Deriving Monitoring Bounds for Distributed Real-Time Systems
Transcript of Deriving Monitoring Bounds for Distributed Real-Time Systems · 11 July 2012 | Moritz Neukirchner |...
Platzhalter für Bild, Bild auf Titelfolie hinter das Logo einsetzen
Moritz Neukirchner, Steffen Stein, Rolf Ernst – TU Braunschweig
Deriving Monitoring Bounds for DistributedReal-Time Systems
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 2
Ensuring Timing Constraints
To ensure real-time constraints systems are verified at design-time (e.g. RTC, SymTA/S)
Processor
τ1
Processor
τ2
Bus
Src SinkP,Jspec
WCRT P,J WCRT P,J
τ3τ4 SrcSinkP,Jspec
WCRTP,JWCRTP,J
Performance Analysis
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 3
Ensuring Timing Constraints
To ensure real-time constraints systems are verified at design-time (e.g. RTC, SymTA/S) monitored at run-time (key to efficient mixed-criticality [Baruah11]) both based on model and formal specification
Processor
τ1
Processor
τ2
Bus
Src Sink
τ3τ4 SrcSink
Monitor
Monitor
Monitor
Monitor
P,Jspec P,J
P,JspecP,J
[Baruah11] Baruah, S.; Burns, A. & Davis, R., “Response-Time Analysis for Mixed Criticality Systems,” RTSS 2011
WCRT WCRT P,J
WCRTWCRTP,J
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 4
Monitoring According to Verification Model
Monitoring according to verification model• Bounds are safe• Bounds are fairly efficient to derive through performance analysis
e.g. Real-Time Calculus, Compositional Performance Analysis
• overly pessimistic• does not allow worst acceptable timing behavior
Sensitivity Analysis derives maximum parameter variation under which constraints still hold
MONITORING SHOULD BE PERFORMED ACCORDING TOSENSITIVITY BOUNDS
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 5
Outline
• Monitoring based on Sensitivity Analysis
• Compositional Sensitivity Analysis
• Evaluation
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 6
Outline
• Monitoring based on Sensitivity Analysis
• Compositional Sensitivity Analysis
• Evaluation
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 7
Search-based Sensitivity Analysis
• Modify parameters until constraints are violated• System-level Performance Analysis (e.g. SymTA/S, MPA) as
feasibility test• Yields Sensitivity Bounds at sources
Processor
τ1
Processor
τ2
Bus
Src Sink
τ3τ4 SrcSink
Monitor
Monitor
Ji,1
Jmax
Performance Analysis
Jmax
Ji,2
Jo,1
Jo,2
J‘i,1
J‘i,2
J‘o,1
J‘o,2
J2,sens
J1,sens
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 8
Search-based Sensitivity Analysis
• Modify parameters until constraints are violated• System-level Performance Analysis (e.g. SymTA/S, MPA) as
feasibility test• Yields Sensitivity Bounds at sources
Processor
τ1
Processor
τ2
Bus
Src Sink
τ3τ4 SrcSink
Monitor
Monitor
Jmax
Performance Analysis
Jmax
J‘i,1
J‘i,2
J‘o,1
J‘o,2
This approach yields sensitivity bounds only at the sources.
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 9
Interdependence of Sensitivity Bounds
• Sensitivity Bounds areNOT independent of each other
• Existing Analysis yield entire pareto-front
Processor
τ1
Processor
τ2
Bus
Src Sink
τ3τ4 SrcSink
Monitor
Monitor
J2,sens
J1,sens
J2,sens
J1,sens
Jmax
Jmax
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 10
Interdependence of Sensitivity Bounds
• Sensitivity Bounds areNOT independent of each other
• Existing Analysis yield entire pareto-front
Processor
τ1
Processor
τ2
Bus
Src Sink
τ3τ4 SrcSink
Monitor
Monitor
J2,sens
J1,sens
J2,sens
J1,sens
For monitoring only one point of the pareto front can be applied.
Jmax
Jmax
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 11
Outline
• Monitoring based on Sensitivity Analysis
• Compositional Sensitivity Analysis
• Evaluation
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 12
Processor
τ2
τ3
Processor
τ1
τ4
Compositional Sensitivity Analysis
• Perform sensitivity analysis of resources in isolation
Bus
Src Sink
SrcSink
Jmax
Jmax
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 13
Processor
τ1
τ4
Processor
τ2
τ3GuaranteeGuarantee
GuaranteeGuarantee
Compositional Sensitivity Analysis
• Perform sensitivity analysis of resources in isolation (WCRT analysis)• Resource gives guarantee on allowed input jitter• Guarantee serves as constraint at other resource• Execution as distributed fixed point algorithm
Jmax
Jmax
Binary Search
Constraint
Binary Search
Guarantee
Constraint Guarantee
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 14
Processor
τ1
τ4
ConstraintGuarantee
Guarantee
Processor
τ2
τ3
Compositional Sensitivity Analysis
• Perform sensitivity analysis of resources in isolation• Resource gives guarantee on allowed input jitter• Guarantee serves as constraint at other resource• Execution as distributed fixed point algorithm
Jmax
Jmax
Binary Search
Guarantee
Binary Search
Constraint Guarantee
This is Compositional Performance Analysis reversed!Isn‘t this trivial?
YES.NO.
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 15
Problems in Compositional Sensitivity Analysis
Starting Value (see paper):• Some tasks may not have valid guarantees when analyzed• Cannot be resolved when cyclic dependencies exist• Conservative starting point has to be defined
Convergence (see paper):• Distributed fixed point algorithm• Convergence has to be ensured
Pareto-Choice and Consistency:• Each local analysis performs pareto choice• Local pareto choices have to be globally consistent
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 16
Pareto Choice And Consistency
Processor
τ1
τ4
ConstraintGuarantee
Guarantee
Processor
τ2
τ3
Jmax
JmaxLocal Sensitivity Analysis
Guarantee
Constraint Guarantee
Local Sensitivity Analysis
Pareto ChoicePareto Choice
J2
J1
Consistent?
J2
J1
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 17
Consistency
• Assume initial guarantee/constraint assignment correct• Local sensitivity analysis are increasing
i.e. larger constraint at output → larger or equal guarantee at input→ Tuple of all guarantees/constraints can only increase→ Increasing a single guarantee/constraint cannot violate constraint
Processor
τ1
τ4
Processor
τ2
τ3Guarantee
GuaranteeJmax
Jmax
ConstraintGuarantee
Constraint Guarantee
Constraint++ Guarantee++Guarantee++
Local Sensitivity AnalysisLocal Sensitivity Analysis
✔✔
✔✔
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 18
Pareto Choice
• Execution order of greedy local analyses determines pareto choice• Guarantee, that is analyzed first, is maximized
Possible exploitation:• Analyze low criticality tasks first→ Low criticality tasks can accomodate largest design uncertainty
Processor
τ2
τ3
G1
Jmax G2(G1)
Jmax
Processor
τ2
τ3
G1(G2)
Jmax G2
Jmax
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 19
Pareto Choice and Consistency (Summary)
• Consistency/Correctness of guarantees formally provenTheorems 2 & 5 in the paper
• All guarantee assignments (sensitivity bounds) conservative• All intermediate guarantee assignments are conservative→ Algorithm can be stopped at any time and results are valid
• Correctness holds for any execution order of local sensitivityanalyses
• Local sensitivity analyses can be (partly) performed in parallel
• Execution Order of Local Analyses determines pareto choicee.g. analyze low criticality applications first to allow for largestuncertainty
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 20
Outline
• Monitoring based on Sensitivity Analysis
• Compositional Sensitivity Analysis
• Evaluation
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 21
Evaluation
• Our algorithm yields one approximated n-dimensional pareto point• Existing system-level sensitivity analyses [8,18] yield pareto front of
up to 4 dimensions (in reasonable runtimes)• [8,18] build on the same performance analysis algorithms
• Comparison of solution quality for systems up to 4 dimensionsi.e. where comparison to exact solution is possible
• Evaluation of runtimein terms of required WCRT analyses
[8] A. Hamann, R. Racu, and R. Ernst, “A formal approach to robustness maximization of complex heterogeneous embedded systems,” CODES 2006
[18] R. Racu, A. Hamann, and R. Ernst, “Sensitivity analysis of complex embedded real-time systems,” Real-Time Systems, 39:31–72, 2008.
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 22
Test Setup
• Synthetic testcases generated with System Models for Free (SMFF)see paper for complete parameter set
• Key characteristics of testcases:5 processors + 2 bussesUtilization 35%-45% (UUnifast)Small systems: 4x chain of 3 tasks = 12 tasks,
2-8 comm. tasks4 dimensions
Large systems: 50x chain of 3 tasks = 150 tasks52-79 comm. tasks50 dimensions
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 23
Solution Quality
exact solution no guarantee
• Solution quality:Normalized Manhattan distance to closest comparable pareto point
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 24
Runtime
• Existing analyses require ~104 [8] and ~108 [18] WCRT analyses to derive entire pareto front (4 sources/dimensions)
Our Approach
4 sources 50 sources[8] A. Hamann, R. Racu, and R. Ernst, “A formal approach to robustness maximization of complex heterogeneous embedded systems,”
CODES 2006[18] R. Racu, A. Hamann, and R. Ernst, “Sensitivity analysis of complex embedded real-time systems,” Real-Time Systems, 39:31–72, 2008.
11 July 2012 | Moritz Neukirchner | Deriving Monitoring Bounds for Distributed Real-Time Systems | Slide 25
Conclusion
• Monitoring should be performed according to sensitivity bounds
• Existing system-level sensitivity analyses yield• entire pareto front of bounds at sources
• We have introduced Compositional Sensitivity Analysis• yields sensitivity bounds at every resource• yields one multi-dimensional sensitivity bound
• Analysis significantly faster than previous approaches• Accuracy comparable
Thank you for your attention.
