Non-Preemptive Interrupt Scheduing for Safe Reuse of Legacy Drivers in Rea-Time Systems Tuio Facchinetti, Giorgio Buttazzo, Mauro Marinoni, and Giacomo Guidi University of Pavia, Itay {tuio.facchinetti,giorgio.buttazzo, mauro.marinoni, giacomo.guidi}@unipv.it Abstract Low-eve support of periphera devices is one of the most demanding activities in a rea-time operating system. In fact, the rapid deveopment of new interface boards causes a tremendous effort at the operating system eve for writing and testing ow-eve drivers for supporting the new hardware. The possibiity of reusing egacy drivers in rea-time systems woud offer the great advantage of keeping the rate of changes with a sma programming effort. Since typica egacy drivers are written to execute in a nonpreemptive fashion, a suitabe operating system mechanism is needed to protect rea-time appication tasks from unpredictabe bursty interrupt requests. In this paper we present a nove approach suitabe for scheduing interrupt service routines. Main features of the method incude: high priority of the hander, non preemptive execution, bandwidth reservation for the appication tasks, and independence of the interrupt service poicy from the scheduing poicy adopted for the appication tasks. 1. Introduction One of the main probems of reusing egacy drivers in a rea-time system is that most interrupt handers disabe the interruption capabiity of the processor, executing ong portions of code at the highest priority in a non-preemptive fashion. As a consequence, a bursty sequence of interrupts may introduce ong bocking deays, which woud cause hard tasks to miss their deadines and soft tasks to increase their response time. Under such an execution mode for the interrupts, an off-ine guarantee of rea-time constraints coud require the system to run with a very ow utiization. On the other hand, enabing the preemption of an interrupt service routine woud increase the efficiency of resource utiization, but coud jeopardize the correct management of the device. For exampe, many device drivers require a tight management of the deays between consecutive instructions. Hence, a preemption coud introduce undesired deays, causing potentia system instabiity or inconsistency. In many cases, a sma jitter in the activation of the interrupt hander (executed in a non preemptive fashion) is toerated by the appication, and it is often safer than having a preemption during the execution of the hander. Ceary, a more predictabe behavior of the system coud be achieved through a carefu programming of the interrupt handers and an off-ine guarantee of the rea-time tasks. However, such a soution requires a tremendous effort in terms of ow-eve programming and testing, due to the compexity of most modern I/O devices. Considering the huge amount of open source code currenty avaiabe for amost a kinds of off-the-shef peripheras, a very appeaing option woud be to easiy integrate the existing code inside a rea-time system, whie sti guaranteeing the rea-time constraints of the appication, as we as a stabe behavior of the driver code. A device driver is often modeed as an aperiodic task, that is, a sequence of jobs with known worst-case execution time (WCET) and unknown arriva times. To protect reatime appication tasks from possibe overruns due to bursty interrupt arrivas, drivers can be handed through an aperiodic server that bounds the processor demand to a given maximum utiization (the server bandwidth). Severa aperiodic service mechanisms have been proposed in the reatime iterature, both under fixed priority [7, 12] and dynamic priority systems [13, 1]. Unfortunatey, most of the proposed approaches assume a fuy preemptive system, where the server can suspend the execution of the driver at any time, either because of the arriva of a new job with a higher priority, or because the server budget is exhausted. LeVasseur et a. [8] presented a method for reusing unmodified device drivers via virtua machine and proposed a heuristic approach to avoid preemptions into device driver s code. However, they did not consider appications with timing constraints, hence their method is not suitabe for reatime systems. Abeni and Buttazzo [1] considered the case in which the served job may use critica sections of code to share mutuay excusive resources with other tasks, but the fuy non preemptive case was not addressed.
A possibe soution for ensuring a non-preemptive execution of an interrupt hander is to assign it the highest possibe priority. This can easiy be done under a static priority scheduing agorithm. Katcher et a. [6] anayzed the overhead introduced by interrupt management and other kerne mechanisms; however, their anaisys addresses fixed priority systems ony. Leyva-de Foyo and Mejia-Avarez [8] proposed an integrated approach to interrupt management with reated anaysis, but their method requires specia hardware support. Under the Eariest Deadine First (EDF) agorithm [1], Jeffay and Stone [5] presented a feasibiity test for guaranteeing the scheduabiity of periodic task sets running in the presence of an interrupt hander executed at the highest priority eve. Athough this approach guarantees a non preemptive execution of the driver, etting the driver running at the highest priority eve coud be too restrictive for the periodic task set, in terms of feasibiity. Aowing a certain amount of activation deay for the drivers woud increase the bandwidth of the appication tasks, whie guaranteeing a safe non preemptive execution of the interrupt routines. In this paper, we propose a nove service method for handing interrupt activities, with the foowing characteristics: The hander is aways executed in a non preemptive fashion, but the server imits its bandwidth consumption through a suitabe budget management that aows guaranteeing the other rea-time activities. A hierarchica scheduing approach [9] is used to make the interrupt server independent of the scheduing poicy, so that either fixed or dynamic priority assignments can be used for the appication tasks. The server can be tuned to baance its responsiveness versus its bandwidth consumption. The mechanism can be efficienty impemented to reduce the extra overhead required in capacity-based servers to set the timers for the budget management. Finay, the context-switch overhead introduced by the interrupt requests can be easiy taken into account in the guarantee test for the appication tasks. 2. Server description An interrupt request I i is modeed as an interrupt service routine (ISR) with its own worst-case computation time C i. The server is defined by 3 parameters: a maximum budget, a bandwidth U, and a budget threshod. The server aso keeps two state variabes: its current budget Q(t) and an activity state Φ(t), which can have three vaues: exe. The server is in this state when it executes an ISR; ready. The server is ready when there are no pending interrupt requests and a new incoming request can be executed immediatey without any activation deay; ide. The server is ide when a new request cannot be immediatey executed because the previous requests consumed the avaiabe budget beow the threshod. In this state, the budget is recharged according to a given repenishment rue, unti the maximum eve is reached or a new request arrives. The maximum budget ( ) is the upper bound for the current budget and imits the number of ISRs that can be consecutivey executed by the server. The budget Q(t) is decreased whie an ISR is executing to keep track of the remaining budget that can be aocated to other requests. To prevent any preemption of the server, the budget is aowed to be negative. When no request is executing, Q(t) is recharged at a constant rate. The U parameter specifies the percentage of processor aocated to the server, which eaves a bandwidth 1 U to the appication tasks. The vaue of U directy infuences the server budget Q(t), which increases at rate U when the server is ready or ide, and decreases at rate 1 U when the server is executing. A higher vaue of U makes the budget to decrease more sowy, thus aowing the execution of a higher number of ISRs before starting the recharge. On the contrary, decreasing U makes the budget to increase more sowy, thus etting more space for the appication tasks. The budget threshod ( ) defines the budget eve above which the server can start executing pending requests after an ide period. In other words, when the budget is exhausted (Q < ) a new request can ony be started when the budget is repenished up to. However, if Q > and the server is ready, an ISR can be executed even though Q. Decreasing the vaue of decreases the atency of the ISR, whie increasing decreases the overhead introduced by the server during IRQ bursts. Such a dependency is better expained in Section 3.2. Whie the server is ide, the ISRs that cannot be executed due to the bandwidth imitations are sent to a ready queue, which can be handed by an arbitrary discipine. Mutipe queues can aso be maintained to hande ISR casses with different atency requirements. Then, they are fetched from the queue when the processor can be safey assigned to the server, meaning that the execution of an interrupt service does not jeopardize the tempora requirements of the appication tasks. Two exampes of server execution are reported in Figure 1 to better iustrate the budget management mechanism and the server state transitions.
Q(t) Φ(t) ISR1 ISR2 ISR3 i r e r e r e i r t ide ready exe is not empty it switches to exe and starts executing the first pending request. If Φ = ready, when Q(t) reaches the server keeps its current status and keeps recharging up to if there are no IRQs to execute. Q(t) IRQ1 IRQ2 IRQ3 ISR execution finishes Q(t) >= queue is not empty Q min Φ(t) r ISR1 ISR2 ISR3 e e e i ISR4 e r t ide ready exe IRQ arriva ISR sent to queue ISR execution finishes exe Q(t) = Q θ ISR execution finishes Q(t) < ISR waiting in queue ide IRQ arriva ISR sent to queue IRQ1 IRQ2 IRQ3 IRQ4 Figure 1. Sampes server budget behavior. 2.1. Server rues Q(t) >= queue is empty ready IRQ arriva queue is empty Q(t) = Budget consumption and recharging is reguated by the foowing rues: 1. At the system start-up Φ() = ide and the initia budget is set to, i.e., Q() =. 2. Whie Φ = ide or Φ = ready, the budget increases at a constant rate U up to its maximum vaue. If Q(t 1 ) is the budget at time t 1 < t 2, then Q(t 2 ) = min{, Q(t 1 ) + (t 2 t 1 )U}. (1) 3. Whie Φ = exe, the budget decreases at a constant rate equas to 1 U. If Q(t 1 ) is the budget at time t 1 < t 2, then Q(t 2 ) = Q(t 1 ) (t 2 t 1 )(1 U). (2) The activity status of the server is determined by the current avaiabe budget, by the previous server status and by the presence or absence of pending ISRs into the ready queue. The status switches according to the foowing rues: The initia state of the server is ide; When an IRQ arrives, if Φ is exe or ide the ISR is sent to the ready queue and the server maintains its current state; When an IRQ arrives, if Φ = ready the server starts executing the hander and Φ = exe; When an interrupt hander terminates the execution, if Q(t) < Φ switches from exe to ide; if Q(t) and the ready queue is empty, the server switches to ready, otherwise, if an ISR is waiting in the queue, the server keeps the exe state and starts executing the next ISR; When Q(t) increases Φ can ony be ide or ready. If Φ = ide, when Q(t) reaches and the ready queue is empty, the server switches to ready; if the queue Figure 2. Server finite-states machine. Figure 2 iustrates these rues as a finite-state machine. 3. Server Properties The proposed interrupt server is characterized by the foowing interesting properties: the response time of every singe ISR can be predicted to perform an onine guarantee of incoming requests; the impementation overhead can be traded for the ISR atency by acting on the budget threshod ; the server parameters can be used to specify the bandwidth aocation within a hierarchica framework. Such a properties wi be formay addressed in the foowing sections. 3.1. Response time and onine guarantee The response time and the finishing time of each ISR can be determined when the corresponding IRQ is generated. This is fundamenta for adopting admission contro mechanisms to guarantee the system during overoad conditions due to IRQ bursts. If a deadine vioation is predicted, an error recovery strategy can be triggered. To describe the agorithm for the onine guarantee, we first introduce two variabes: f keeps track of the finishing time of the ast arrived IRQ, and Q represents the server budget at time f, i.e. Q = Q(t ). Let us consider an interrupt request I i triggered at time t i. We have to cacuate the f and Q variation due to the
new request arriva. In the foowing expanation we use the symbos f new and Q new to denote the updated vaues of the variabes, whereas f od and Q od denote the od vaues. Basicay, before the evauation of each equation, the assignment new vaue = od vaue has to be done in order to make the agorithm working iterativey. If the server ready queue is empty, then the server can be in one of the three activity states: If Φ = ready then the hander starts executing immediatey, thus f = t i + C i and RT (I i ) = C i, and, since the budget decreases during the execution of I i, from Equation (2) we have: Q = Q(f ) = Q(t i ) (1 U)(f t i ). Notice that, in the previous equations, the new vaue of both f and Q (f new, Q new ) do not depends on f od and Q od. This is because, from the point of view of our agorithm, when the ready queue is empty and Φ = ready, the next new IRQ can be considered as the first IRQ ever occurred. For this reason we simpy assign the vaue to f and Q. If Φ = exe there are two cases: if Q od f new Q new, then = f od + C i, RT (I i ) = f new t i = Q(f new ) = Q od (1 U)(f new f od ) if Q od <, then the current pending hander is deayed unti the budget wi be recharged. We cacuate the time t θ at which the budget wi be recharged by using Equation 1 and by imposing Q new we obtain Then = Q(t θ ) = = Q od t θ = Q od U f new = t θ + C i + U(t θ f od ) + f od. RT (I i ) = f new t i. If Φ = ide, since the ready queue is empty, f od and Q od sti refer to the finishing time of the ast executed ISR, thus the same reations iustrated for the Φ = exe case with Q od < hod. If the ready queue is not empty when IRQ i arrives, Φ cannot be ready. If it is ide or exe, the same reations previousy iustrated can be used. 3.2. Effect of the budget threshod The threshod is used in our mode to introduce an extra-deay between the time at which the server becomes ide and the time at which it switches to ready again. This is usefu to imit the overhead produced by the system timers, aowing an efficient impementation of the server. The basic idea is that, when increases, the system overhead decreases but the average ISR response time increases. Since when Φ = ready or Φ = exe the server continuousy executes the ISRs enqueued into the ready queue unti Q(t) <, an efficient server impementation may update the server budget on 3 events ony: 1. before the execution of the first ISR fetched from the queue; 2. after the end of the ast executed ISR (when Φ = ide); 3. when Φ switches from ide to ready, because Q(t) =. Whie in the first two situations the ony overhead introduced by the server is the computation of the new budget, the third case requires a system timer to be impemented. The timer is set when the server becomes ide in order to trigger an event when the server has to wake up (to switch Φ to ready and set Q(t) = ). Since the system timers are usuay impemented as interrupt routines, the overhead incudes the context switch time and the execution time of the required routine. Therefore, the overhead introduced by the system timers depends on the frequency of the timer activation events. Notice that the system timers are not managed by the server. Athough they are aso handed as interruptions, they are generated from the system and they require a separate mechanism to be managed. The server ony handes the interrupts coming from the egacy drivers. To discuss the effect of the threshod we consider the worst-case situation in which there is aways at east one ISR waiting into the ready queue. This is the typica situation during interrupt burst conditions. We assume the duration of the system timer routine equa to C timer. Finay, we consider the non-restrictive assumption in which a the ISRs have the same duration C int. This assumption requires a itte expanation. Since the timers are triggered when a transition from the ide state to an another state (exe or ready) is required, they are set when an ISR finishes its execution and Q(t) <. Moreover, the higher the frequency of timer activation the higher the overhead introduce by them. For a given, the worst case happens when an ISR finishes at an instant t end for which ɛ < Q(t end ) < for an arbitrary ow ɛ, because in this case the next timer activation is the cosest possibe to the previous one. When = and there is aways an ISR waiting in the queue, the vaue of ɛ is affected ony by the duration
of the ISR: the shorter is the ISR execution the shorter is ɛ and the higher is the overhead. When > the overhead does not depend from the ISR duration ony, since it depends even on the ISR arriva order and, potentiay, on the ratio between and ISR duration. Here we do not want to compare the the cases with same when the ISR characteristics change. We want to compare the cases with different whie keeping other parameter fixed. In this situation, C int can be assumed as the shortest ISR execution duration, i.e. C int = min(c i ). To estimate the system overhead we need to cacuate the time between two consecutive timer activations. Since a timer activation occurs when the budget increases up to, we have to evauate the maximum interva t in which Q(t) reaches again after reaching its minimum vaue Q min. Referring to the exampe iustrated in Figure 3, et t a be the time at which Q(t a ) = and Φ switches from ide to exe, et t b be the time at which Q(t b ) = Q min and Φ switches from exe to ide, and et t c be the time at witch Q(t c ) = and Φ switches from ide to exe again. Then, t = (t c t a ). As we wi see ater, the duration of t depends on, C int and U. Q(t) Qmin IRQ t a 1 2 3 4 5 t tb t c 1 2 3 4 5 kerne timer activations Figure 3. IRQ scheduing with threshod. To determine the vaue of Q min, et us consider the situation in which =. If there is aways an ISR into the ready queue, the budget foows the behavior iustrated in Figure 4. At each ISR execution, the budget reaches the vaue of Q(t b ) = Q min. From Equation 2 we have Q(t b ) = Q(t a ) (1 U)(t b t a ), where Q(t b ) = Q min, Q(t a ) = and t b t a = C int, so that Q min = (1 U)C int. Now et us consider the situation depicted in Figure 3, where such that = nq min < for a given integer n. Considering the interva [t a, t b ] and Equation 2, we can write Q(t b ) = Q(t a ) (1 U)(t b t a ), where Q(t b ) = Q min, Q(t a ) =. Then, we obtain t a = t b Q min. 1 U For the interva [t b, t c ] we use Equation 1. Since we are considering the case with Φ = ide, then Q < t Q(t) = Q min IRQ t a t tb 1 2 3 4 5 1 2 3 4 5 t c kerne timer activations Figure 4. IRQ scheduing without threshod. and the budget is increasing. We can say that Q(t c ) = Q(t b )+U(t c t b ), where Q(t b ) = Q min, and Q(t c ) =. Then, we obtain We determine t as t c = t b + Q min. U t = t c t a = Q min U(1 U). If U timer is the bandwidth consumed by the system timers, in any time interva [t 1, t 2 ] between two timer activations, we have [t U timer = 1,t 2 ] C timer, t 2 t 1 where [t C 1,t 2] timer is the tota amount of time consumed for the timer management during [t 1, t 2 ]. And since [t 1,t 2 ] C timer = t 2 t 1 t C timer (because t 2 t 1 t represents the number of timer activations in [t 1, t 2 ]), we have U timer = C timer + (1 U)C int U(1 U). The above expression aows us to derive some interesting considerations about the threshod mechanism. To achieve the minimum response time of an ISR the threshod shoud be set to =. By doing so, we have U timer ( = ) = C timer C int U. In this case, the bandwidth consumed for the timer management becomes reevant as soon as C int becomes comparabe with C timer. Figure 4 iustrates the schedue obtained on a burst of interrupts without threshod, that is with =. In such a situation, the osciation of Q(t) around produces severa activations of the timers used to trigger the transition of Φ from ide to ready. If the threshod is set to >, the execution of some ISRs suffers from a sma extra deay, but the number of timer activations decreases, since severa ISRs are executed together after the same activation, as shown in Figure 3. The threshod eve can be tuned to baance the hander response time versus the timer management overhead. t
3.3. The hierarchica framework The interrupt server presented in this paper is assumed to be handed using a hierarchica scheduing framework in order to decoupe the anaysis of the interrupt handing from the appication tasks scheduing [9]. This approach enabes our method to be used on top of both fixed priority and dynamic priority assignment schemes for the appication tasks. Ameida et a. [2] aso addressed one form of hierarchica scheduing and presented a scheduabiity anaysis of a non-preemptive periodic task set with fixed priority within a dedicated tempora frame, appied to the CAN bus. Feng and Mok [3] introduced a function to measure the time made avaiabe by a server, and anayzed it for a static aocation of the bandwidth. A hierarchica approach was aso proposed by Shin and Lee [11] to design a server that guarantees the appication tasks executed separatey by different servers. In this work, the hierarchica structure of the system is organized with an upper eve, the goba scheduer, that provides the execution time to a ower eve, made by one or more concurrent oca scheduers executing the appication tasks with potentiay different scheduing poicies. The anaysis is performed using the hierarchica partitioning approach introduced by Lipari and Bini [9]. Each server is modeed with two parameters: (i) the maximum bandwidth α is the amount of server budget Q avaiabe on a period P, having α = Q P ; (ii) the maximum consecutive ide time ( ). A server described with such a parameters is guaranteed both under EDF and RM [1] with the tests reported in [9]. In our approach, the interrupt manager is ocated at the ower eve of the hierarchica structure, so that it hods aways the highest priority within the system. Then, the server assigns the computation time to the ISR ony if there are requests for interrupts and there is enough bandwidth to satisfy the request. Otherwise, the bandwidth is assigned to the higher eve scheduers and consumed by the appication tasks. The scheduabiity test used to guarantee the appication tasks is based on the method presented in [9], using the α and parameters. We firsty introduce the foowing emma to bound the continuous execution on the server. Lemma 1 The maximum server continuous execution time is C w = max C i + i 1 U. Proof. If the initia budget is at the maximum aowed vaue, the server can execute for a period Qmax 1 U before the budget reaches the vaue. If a new ISR with duration equa to max i C i arrives, then the server budget becomes negative, the server becomes ide, and the budget reaches its owest vaue. Therefore, the tota execution time for the worst-case sequence of interrupt requests is C w = max i C i + 1 U. Since C w depends on, one of the resuts that comes directy from Lemma 1 is that raising the vaue of makes the server abe to respond quicky to an higher number of requests before becoming ide. The α and parameters can be derived from the server parameters according to the foowing theorem. Theorem 1 The server ide time can be represented with the two parameters α and, where α = 1 U and = max i C i + 1 U. Proof. If the server has a bandwidth U, as derived from property 1, its ide time has a bandwidth 1 U and α = 1 U. Deta is the maximum deay which affects the execution time passed to the task eve scheduer. Such a maximum deay corresponds to the maximum execution time of the server. From Lemma 1 we have = C w = max i C i + Qmax 1 U. 4. Experimenta resuts To test the behavior of the proposed interrupt management mechanism, the server has been impemented as a scheduing modue in the Shark rea-time operating system [4]. Then the server has been used to schedue the interrupt requests coming from device drivers imported from the Linux distribution without any modifications. To trigger the IRQ generation, we have used a persona computer (PC) connected to the target machine through a parae port. The PC generates expicit IRQs by raising a signa on the interrupt ine of the parae port. The frequency of the IRQs is controed by the PC, so that different bursty situations can be easiy tested. The test appication we have set up to evauate the interference of the server on the appication tasks consisted of a task set schedued using the EDF scheduing poicy. The task set is made by severa reativey fast hard periodic tasks with a period of 1µs and a measured computation time of 93µs. The task set generates a tota workoad equa to U app =.8. The genera interrupt arriva sequence is a burst of requests with a given duty cyce σ. We tested the server in severa situations, by imposing different duty cyces to the IRQ bursts and by setting different server parameter configurations. In a the experiments we measured the ISR activation atency. The period between two consecutive bursts is aways equa to 8 ms and the burst duration is changed for each experiment in order to vary the vaue of σ. For exampe, σ = 4% means that an IRQ burst of 3.2 ms is generated every 8 ms. The burst duration is measured by quanta of 4µs, and in each quantum we randomy generate from
1 to 5 interrupt requests. These vaues are constrained by the physica requirements needed for the IRQ generation using the parae port. The ISR atencies are represented in a graph reporting on the horizonta axis every singe ISR activation sorted by atency, and on the vertica axis the corresponding atency. Such a representation provides the same information of a traditiona histogram, moreover it aows the visuaization of severa curves on the same graph, making the atency comparison easier. 14 12 = = 25 = 5 (a) Figure 5 reports the resuts of an experiment in which = 5, U =.5 and the behavior of the atency was study with different vaues of and two different duty cyces: a) σ = 3% and b) σ = 7%. We notice that, for =, amost a the ISRs experience a high deay. Raising the vaue of (25 and 5) increases the number of ISRs that are schedued without any atency, as shown by the two curves that start fat and increase ater. The difference between the two pictures is that, in Figure 5 b) the duty cyce is sufficienty high to keep the ready queue busy a the time. This impies that every new IRQ is enqueued and the deay constanty increases. Figure 5 a) shows the typica behavior of the atency when the duty cyce is not sufficienty high to make the server enqueueing a the new arrivas: increasing the vaue of the number of ISR that are schedued increases, but the worst atency increases significanty. As a resut, ow duty cyces and ow threshod make the deay more uniformy distributed. atency (microsec) 16 14 12 1 8 6 4 2 (a) σ = 3% σ = 5% σ = 7% atency (microsec) 1 8 6 4 2 15 5 1 15 IRQ index sorted by atency = (b) = 25 = 5 atency (microsec) 14 12 1 8 6 4 2 5 1 15 IRQ index sorted by atency σ = 1% σ = 3% σ = 5% σ = 7% (b) atency (microsec) 1 5 5 1 15 IRQ index sorted by atency Figure 6. ISR activation atency distribution with different vaues of σ and two different threshoding eves: a) = and b) = 5. 5 1 15 IRQ index sorted by atency Figure 5. ISR activation atency distribution with different vaues of and two different duty cyces: a) σ = 3% and b) σ = 7%. In another experiment shown in Figure 6, we sti set = 5 and U =.5, but we study the behavior of the atency with different vaues of σ and two different threshod eves: a) = and b) = 5. In both graphs the curves become more abrupt as σ increases, but this behavior is much more evident for ow threshod eves (case (a)). Since the speed at which the server is abe to schedue the ISRs does not vary, raising the duty cyce and reducing the threshod have the join effect of keeping the ready queue aways occupied, so that new IRQ arrivas are aways enqueued and their atency constanty increases. Figure 7 shows the behavior of the ISR atency whie keeping the threshod and the duty cyce fixed ( = and σ = 7%) and changing U and. Increasing the server bandwidth U there is a reduction of the atency together with a gain on the number of ISR that are schedued with zero atency. Raising U causes two effects: a ower sope of the budget variation during the ISR execution, which impies more time to execute the ISRs, and a higher sope of the budget variation during the bud-
atency (microsec) 14 12 1 8 6 4 2 U =.5% U = 1% U = 3% U = 8% We provided both theoretica and experimenta resuts to show the effectiveness of our approach. Whie the theory vaidated the properties of the mode, the experimenta resuts showed the performance of the server under some reaistic working situations. The interrupt server has been integrated in the Shark reatime kerne and it is used to schedue the interrupt requests coming from device drivers imported from the Linux distribution without any modification. atency (microsec) 8 7 6 5 4 3 2 1 5 1 15 IRQ index sorted by atency = 8 = 2 = 35 = 5 5 1 15 IRQ index sorted by atency Figure 7. ISR activation atency distribution with different vaues of U and. get recharge, which invoves ess time between two server activations, thus ess atency for the ISRs execution. Raising the curves shift to the right, increasing the number of ISRs that are served with ow atencies, but aso increasing the overa worst-case performance in terms of individua ISR s deay. This happens because, if raises, there is more time to execute ISRs consecutivey, even if the sope of the budget variation does not change. On the other hand, higher vaues of impies higher vaues of (we set equa to the maximum possibe vaue) and onger recharging periods, so that the worst-case atency increases consequenty. 5. Concusions In this work we presented a nove approach for the efficient reuse of egacy device drivers in rea-time systems. Our method enforces a non-preemptive execution of the interrupt handers in order to preserve the interna tempora requirements of the ISRs, that are fundamenta for a predictabe behavior of the system. The server runs in a hierarchica environment with an assigned bandwidth, so that the rea-time appication tasks can be guaranteed independenty from the server. Moreover, the interrupt server poicy is competey independent from the scheduing poicy adopted for the appication tasks. References [1] L. Abeni and G. Buttazzo. Resource reservations in dynamic rea-time systems. Rea-Time Systems, 27(2):123 165, Juy 24. [2] L. Ameida, P. Pedreiras, and J. A. G. Fonseca. The fttcan protoco: Why and how. IEEE Transaction on Industria Eectronics, 49(6):1189 121, December 22. [3] X. Feng and A. K. Mok. A mode of hierarchica rea-time virtua resources. In Proc. of the 23rd IEEE Rea-Time Systems Symposium, pages 26 35, Austin, TX, USA, Dec. 22. [4] P. Gai, L. Abeni, M. Giorgi, and G. Buttazzo. A new kerne approach for moduar rea-time systems deveopment. In Proc. of the 13th IEEE Euromicro Conf. on Rea-Time Systems, pages 199 26, Deft, The Netherands, June 21. [5] K. Jeffay and D. L. Stone. Accounting for interrupt handing costs in dynamic priority task systems. In Proceedings of the IEEE Rea-Time Systems Symposium, pages 212 221, Raeigh-Durham, NC, USA, December 1993. [6] D. Katcher, H. Arakawa, and J. Strosnider. Engineering and anaysis of fixed priority scheduers. IEEE Transactions on Software Engineering, 19(9):92 934, 1993. [7] J. Lehoczky, L. Sha, and J. K. Strosnider. Enhanced aperiodic responsiveness in hard rea-time environments. In Proceedings of the IEEE Rea-Time Systems Symposium, pages 261 27, San Jose, CA, USA, December 1987. [8] J. LeVasseur, V. Uhig, J. Stoess, and S. Götz. Unmodified device driver reuse and improved system dependabiity via virtua machines. In Proceedings of the Sixth Symposium on Operating Systems Design and Impementation (OSDI 4), San Francisco, CA, USA, December 24. [9] G. Lipari and E. Bini. Resource partitioning among rea-time appications. In Proc. of the 15th Euromicro Conf. on Rea- Time Systems, pages 151, Porto, Portuga, Juy 23. [1] C. L. Liu and J. W. Layand. Scheduing agorithms for mutiprogramming in a hard rea-time environment. Journa of the ACM, 2(1):4 61, January 1973. [11] I. Shin and I. Lee. Periodic resource mode for compositiona rea-time guarantees. In Proc. of the 24th Rea-Time Systems Symposium, pages 2 13, Cancun, Mexico, Dec. 23. [12] B. Sprunt, L. Sha, and J. Lehoczky. Aperiodic task scheduing for hard rea-time system. Journa of Rea-Time Systems, 1:27 6, June 1989. [13] M. Spuri and G. C. Buttazzo. Scheduing aperiodic tasks in dynamic priority systems. Journa of Rea-Time Systems, 1(2):1 32, 1996.