1 Introduction

In recent years, there has been a significant publishing trend in area of mixed-criticality systems. Many different models emerged and they are covered in extensive review Burns and Davis (2017). The common approach in mixed-criticality systems is the adaptive mixed-criticality approach. The first response-time analysis for sporadic task sets in adaptive mixed-criticality systems was done in Baruah et al. (2011). Recently, an exact schedulability test for adaptive mixed-criticality systems with fixed-priority scheduler on uniprocessor platforms was devised in Asyaban and Kargahi (2018). We suspect that there are some mistakes in Asyaban and Kargahi (2018) which can cause confusion and reduce reproducibility of results.

2 Corrections

In this section we point out errors and inconsistencies in the efficient formulation of the exact schedulability test described in Chapter 4.2 of Asyaban and Kargahi (2018). There are two corrections which have to be made for the algorithm to work properly. We briefly explain the used notation and address errors in the rest of the section.

2.1 Preliminaries

The authors use state space exploration in determining schedulability and response times of a task set. In Asyaban and Kargahi (2018), state is defined as a tuple:

$$\begin{aligned} s_t := \langle \varGamma , (c_i, q_i, p_i, \epsilon _i, \phi _i)_{i=1}^k \rangle \end{aligned}$$
(1)

where:

  • \(\varGamma \in \{LO, HI\}\) is the criticality mode of the system in the state,

  • \(c_i \in \{0, 1, \ldots , C_i(HI)\}\) denotes the remaining execution time of the unique pending job of task \(\tau _i\),

  • \(q_i \in \{0, 1, \ldots , D_i\}\) is the remaining time to the deadline of the latest released job of task \(\tau _i\),

  • \(p_i \in \{0, 1, \ldots , T_i\}\) is the minimum remaining time until the next release of task \(\tau _i\); if \(L_i\)= LO \(\wedge\)\(\varGamma =\) HI, then \(p_i = 0\),

  • \(\epsilon _i \in \{0, 1, \ldots , C_i(HI)\}\) is the actual execution-time of the unique pending job of task \(\tau _i\),

  • \(\phi _i \in \{0, \ldots , T_i\}\) is an offset which indicates how much later than the minimum inter-release time the most recent job of task \(\tau _i\) is released.

Moreover, \(\sigma (t) = \{\sigma _1(t), \ldots , \sigma _N(t)\}\) denotes a job sequence of a task set at time instant t, e.g. if \(\sigma _1(0) = 4\) task \(\tau _1\) is released at time instant 0 with the execution time 4. Rule 1* is the state transition rule and Rule 2* the job sequence generation rule. Based on job sequences generated according to Rule 2* the current state \(s_{t}\) transitions to successor states \(s_{t + 1}\) according to Rule 1*.

2.2 The first error: Rule 1*

The first error is in Rule 1* which describes assignment of the minimum remaining time until the next release of task \(\tau _i\), i.e. \(p_i'\). In the paper, it is stated that if \(\sigma _i(t + 1) = 1\), then \(p_i' = T_i\). This is not correct as it discriminates against other release patterns in which job of task \(\tau _i\) is released with execution time larger than 1. Therefore, the condition should be \(\sigma _i(t + 1) \ge 1\).

The first error causes invalid state transitions. Consequently, the schedulability test discovers incorrect task response times what leads to an incorrect schedulability decision. To illustrate the consequences of the first error we provide the following example.

Example 1

Consider task set with 3 tasks \(\tau _i = \{[C_i(LO), C_i(HI)], T_i, D_i, L_i\}\):

  • \(\tau _1 = \{[1, 2], 5, 5, HI\}\)

  • \(\tau _2 = \{[1, 1], 3, 3, LO\}\)

  • \(\tau _3 = \{[2, 4], 7, 7, HI\}\)

Tasks are ordered according to priority, i.e. task \(\tau _1\) has the highest priority and task \(\tau _3\) has the lowest priority. Consider the transition from the pre-initial state \(s_{-1} = \langle LO, (0, 0, 0, 0, 0)_{i=1}^3 \rangle\). According to Rule 2* there are six different job sequences at time instant 0: \(\sigma (0)^1 = \{0, 0, 4\}\), \(\sigma (0)^2 = \{0, 1, 4\}\), \(\sigma (0)^3 = \{1, 0, 4\}\), \(\sigma (0)^4 = \{1, 1, 4\}\), \(\sigma (0)^5 = \{2, 0, 4\}\), \(\sigma (0)^6 = \{2, 1, 4\}\). For instance, we take the sixth job sequence \(\sigma (0)^6\) and apply Rule 1* to get the next state \(s_0^6\). According to Rule 1* task state \((c_i, q_i, p_i, \epsilon _i, \phi _i)\) for \(\tau _2\) is:

  • \((c_2 = 1, q_2 = 3, p_2 = 3, \epsilon _2 = 1, \phi _2 = 0)\)

As \(\sigma _2(0)^6 = 1\), the minimum remaining time until the next release of a job \(p_2\) is set to 3 what is correct. However, this is not the case for tasks \(\tau _1\) and \(\tau _3\):

  • \((c_1 = 2, q_1 = 5, p_1 = 0, \epsilon _1 = 2, \phi _1 = 0)\)

  • \((c_3 = 4, q_3 = 7, p_3 = 0, \epsilon _3 = 4, \phi _3 = 0)\)

where \(p_1\) and \(p_3\) are set to 0 what is incorrect because the remaining time until the next release of a job corresponds to task periods 5 and 7, respectively. Therefore, the part of Rule 1* which states: “if \(\sigma _i(t + 1) = 1\) then \(p_i' = T_i\)” is incorrect and should be corrected to: “if \(\sigma _i(t + 1) \ge 1\) then \(p_i' = T_i\)” (Fig. 1).

As pointed out earlier an incorrect state transition causes the algorithm to produce an incorrect response time and consequently an incorrect schedulability decision. To better illustrate this, we provide Figs. 2 and 3 which depict the state space exploration for \(\tau _3\) for the corrected and the incorrect Rule 1* respectively. On Fig. 2 it can be easily seen that the task set is not schedulable. Failure is declared after transition from the 7-th state to the final state in which \(c_3 > q_3\), i.e. the remaining execution time is greater than the remaining time to deadline. On the other hand, the algorithm with incorrect Rule 1* declares success as it discards all states except the initial state. As the observed worst-case response time (\(R_{observed}\)) of \(\tau _3\) is set to LO-criticality mode response time (\(R_3^{LO} \le D_3\)) prior to the state space exploration, algorithm produces incorrect response time and schedulability decision.

Fig. 1
figure 1

Legend for state space exploration diagrams

Full size image
Fig. 2
figure 2

State space exploration with corrected Rule 1*

Full size image
Fig. 3
figure 3

State space exploration with incorrect Rule 1*

Full size image

2.3 The second error: pruning rule PR8

The second error is in the pruning rule PR8. As stated in the paper:

PR8 If \(p_m = T_m\) and there exists a LO-criticality task \(\tau _i, i \in \{m + 1, \ldots , k\}\), such that \((c_i > 0 \wedge \forall \tau _j, j \in \{1, \ldots , m - 1, m + 1, \ldots , i\}, c_j = 0)\).

The problem with the rule is that if task \(\tau _i\), i.e. index i, is included in set \(\{1, \ldots , m - 1, m + 1, \ldots , i\}\) then for the condition to be valid \(c_i\) has to be equal zero (\(c_j = 0\)). However, the first part of the condition states that \(c_i > 0\). Therefore, the PR8 is incorrect as the condition is always false due to the contradiction. The latter set in the pruning rule should be corrected to \(\{1, \ldots , m - 1, m + 1, \ldots , i - 1\}\) and then task \(\tau _i\) is excluded from the former part of the condition. Additionally, index k should be excluded from set \(\{m + 1, \ldots , k\}\) as \(\tau _k\) is a high-criticality task.

2.4 An inconsistency: schedulability test algorithm

There is an inconsistency in the efficient schedulability test formulation depicted with Algorithm 2 from Sect. 4.2 regarding the Proposition 4 from the Sect. 3.3 of the paper. For completeness and clarity, Algorithm 2 and Proposition 4 are reproduced here as defined in Asyaban and Kargahi (2018).

Proposition 4

If criticality levels of task\(\tau _i\)and all tasks with priorities higher than it are the same (i.e.,\(\forall \tau _j \in hp(\tau _i), Lj = L_i\)), the critical instant for task\(\tau _i\)corresponds to what SAS offers. Hence, the standard RTA can be used as follows:

$$\begin{aligned} R_i = C_i(L_i) + \sum _{\tau _j \in hp(\tau _i)} \bigg \lceil \frac{R_i}{T_j} \bigg \rceil C_j(L_i) \end{aligned}$$

An inconsistency which may cause confusion is in the lines 4-5 of Algorithm 2 which depicts the schedulability test. The condition specified in else if statement (line 4) is: \(\forall \tau _j \in \{\tau _1, \ldots ,\tau _k\}, L_j == L_k\). Although, this represents Proposition 4 accurately, at this point it is obvious that \(L_k = HI\) as the condition in line 2 is not satisfied, i.e. task \(\tau _k\) is undoubtedly a high-criticality task.

figure c

3 Conclusion

We pointed out some errors in Asyaban and Kargahi (2018) which are crucial for the correct implementation of the algorithm. With the suggested corrections the algorithm produces results as expected.