Contention-Free Scheduling for Mixed-Criticality Multiprocessor Real-Time System

: Zero-laxity (ZL) and contention-free (CF) policies have received considerable attention owing to their simplicity and applicability to real-time systems equipped with symmetry multiprocessors. Recently, the ZL policy for mixed-criticality (MC) systems has been proposed and studied, but the applicability to and performance of the CF policy for MC systems have not been investigated yet. In this paper, we propose the CF policy (as a scheduling policy) for MC symmetry multiprocessor systems, referred to as the MC systems tailored CF policy (MC-CF), and a schedulability analysis in support thereof. We deﬁne the notion of contention-free slots for two different criticalities (of MC systems) of tasks, propose a technique to limit the amount to be utilized for each task by deﬁning an upper bound, and subsequently explain the way in which the contention-free slots are systematically utilized to improve the schedulability of MC symmetry multiprocessor systems. Following this, we develop a deadline analysis (DA) for MC-CF. Using our experimental results under various environmental settings, we demonstrate that MC-CF can signiﬁcantly improve the schedulability of ﬁxed-priority


Introduction
Real-time embedded systems differ from general-purpose systems in that designated multiple real-time tasks (e.g., engine control and sensing) are repeatedly executed on limited computing resources (e.g., CPU and memory). At the same time, real-time tasks need to be conducted within a predefined time, known as a deadline, as a strict design requirement. To achieve this goal and considering the characteristics of embedded systems, the following two problems have been extensively studied by the real-time systems community: (i) ways to effectively allocate the limited computing resources to real-time tasks and (ii) approaches to judge whether the system satisfies the design requirement. Methodologies to address (i) and (ii) are referred to as the real-time scheduling algorithm and schedulability analysis, respectively. In the case of uniprocessor systems, these two methodologies have been fully matured as optimal scheduling algorithms, namely, the earliest deadline first (EDF) and the rate monotonic (RM) algorithms, have been developed and extensively studied, and the exact schedulability analyses to support them were proposed [1]. With regard to multiprocessor systems, optimal techniques such as ER-Fair, LLREF, RUN, and EKG have been suggested [2][3][4][5], and have evolved to reduce their scheduling costs [6].
However, these research achievements targeted a system in which real-time tasks have an equal impact on the safety of the system, known as the criticality, which does not support an increasingly important trend in the design of real-time systems considering different criticalities of tasks. For example, modern automotive systems conduct safety-critical tasks (e.g., wheel steering and breaking systems) as well as mission-critical ones (e.g., the camera and various sensing systems), the various criticalities of which are explicitly categorized in the ISO 26262 standard [7]. Although a mixed-criticality (MC) system should support different criticalities with high CPU utilization, relatively few approaches have been proposed [8][9][10] compared to those for single-criticality (SC) systems.
For example, the zero-laxity (ZL) [11] and contention-free (CF) [12,13] policies have received considerable attention owing to their simplicity and applicability to SC systems equipped with multiprocessors. ZL and CF policies are incorporated into most (if not all) existing scheduling algorithms and improve the real-time scheduling performance of SC systems in that they have opposite objectives. The ZL policy promotes the priority of a task to the highest level at a time instant when it should be scheduled to avoid missing the deadline, whereas the CF policy relegates the priority to the lowest level at the time instant at which its schedulability is guaranteed. Recently, the ZL policy for MC systems was proposed and studied [14,15], but the applicability and performance of the CF policy for MC systems have not been investigated.
In this paper, we propose the CF policy (as a scheduling policy) for MC multiprocessor systems, referred to as the MC systems tailored CF policy (MC-CF), in addition to the schedulability analysis to support the policy. We consider the fixed-priority (FP) and earliest-deadline first (EDF) scheduling as the base scheduling algorithms where MC-CF is applied. The key idea of the CF policy is to exploit the notion of a contention-free slot, which is defined as the time slot in which the number of active (i.e., released but unfinished) jobs is less than or equal to the number of processors [12,13]. In other words, in contention-free slots, active jobs can be executed without any contention to obtain processors (or cores). We define the notion of contention-free slots for two different criticalities (of MC systems) of tasks, propose a technique to restrict the amount to be utilized for each task by defining an upper bound, and then present the way in which the contention-free slots are systematically utilized to improve the schedulability of MC multiprocessor systems. Then, we develop the deadline analysis (DA) [16] for MC-CF. Finally, we conducted experiments with settings in various environments to demonstrate that MC-CF can significantly improve the schedulability of fixed-priority scheduling.
The following summarizes the contributions of our study: • We propose a method to calculate an upper bound of the number of contention-free slots for each task; • We then propose MC-CF; • We develop the DA test for MC-CF.
The remainder of this paper is organized as follows. Section 3 presents our considered system model. Section 4 first defines the notion of contention-free slot for MC systems and explains how to calculate the upper bounded number of contention-free slots that exit for each task. Then, MC-CF is proposed. Section 5 presents DA for MC-CF proposed in this paper. In Section 6, the performance of MC-CF is discussed. Section 2 summarizes the related work, and Section 7 concludes this paper.

Related Work
For the last few decades, a number of studies on real-time systems have focused on developing scheduling algorithms for multiprocessor systems to improve schedulability of the target systems. ER-Fair, LLREF, EKG, and RUN were proposed as optimal scheduling algorithms for multiprocessor systems, and have evolved to reduce their scheduling costs [6]. For example, RUN transforms the problem of task scheduling for multiprocessors into that of a uniprocessor, and reduced the number of preemptions significantly compared to the other techniques that exploits rated-based approaches.
On the other hand, another approach has tried to develop scheduling policies that can be applied to most (if not all) existing scheduling algorithms to improve schedulability analysis. The ZL [11] and CF policies [12,13] are representative examples the such techniques. The ZL policy promotes the priority of a task to the highest level at a time instant when it should be scheduled to avoid missing the deadline, whereas the CF policy relegates the priority to the lowest level at the time instant at which its schedulability is guaranteed. The CF policy were further studied to better exploit contention-free slots [17], and the response-time analysis (RTA) for the CF policy was proposed [18].
While the studies above are for single-criticality systems that for mixed-criticality ones was initiated by the seminal work of Vestal [19], and a number of studies have been conducted for uniprocessor platforms. Baruah proposed RTA [20] for static mixed-criticality scheduling, and proposed a new MC-scheduling algorithm called the earliest-deadline first virtual deadline (EDF-VD) [21,22]. Li proposed new criticality based priority (OCBP) scheduling algorithm [23,24], and OCBP was extended to PLRS by Guan [24]. Baruah also proposed a more general model for MC scheduling, wherein the task parameter can be varied according to its criticality [25]. The task model in [25] assumes that WCET estimates are non-decreasing, period estimates are non-increasing, and relative deadline estimates are non-decreasing with increasing criticality because a higher criticality requires more conservative estimates.
With respect to the multiprocessor platform, Pathan proposed an OPA-compatible schedulability analysis for FP scheduling, and Li extended EDF-VD to multiprocessor MC systems [26]. Lee applied fluid scheduling to MC systems in which tasks have different execution rates according to their criticality [27]. In [14], Jung first applied the ZL policy to EDF for MC systems, and proposed a new RTA to support it. Mollison proposed a rather practical technique to utilize a concept of "slack" defined as the gap between the worst-case execution time prediction and actual execution times [24]. In [24], high-criticality tasks provide slack, and low-criticality tasks utilize it to improve schedulability.
Our study is motivated by that the CF policy has been investigated a lot for single-criticality systems, but it is not for mixed-criticality ones while the ZL policy for MC systems was proposed and studied [14,15]. The DA test is also proposed in [12,13] to support the CF policy, but it only supports single-criticality systems. That is, the worst-case scenario to estimate the worst-case interference from higher-priority jobs for a task τ k only consider single-criticality systems. To the best of our knowledge, we first proposed the CF policy and its schedulability analysis to support mixed-criticality systems.

System Model
We consider an m processor system operating real-time tasks of which the criticalities are categorized by two levels, H I and LO. A task set τ in which a task τ i is specified by a five-tuple of parameters (X i , C LO i , C H I i , D i , T i ) each of which parameter is specified as follows: • X i ∈ {HI, LO} is the criticality of a task, and a task τ i with X i = H I or X i = LO is either a HI-criticality or LO-criticality task, respectively. • C LO i and C H I i denote the worst-case execution times (WCETs) for the low and high criticalities, respectively. We assume that C LO i ≤ C H I i because a task with higher criticality requires a more conservative analysis for WCET. • D i and T i represent the relative deadline and the period of the task, respectively, and D i = T i is satisfied.
τ LO and τ H I represent a set of tasks each whose criticality X i is H I and LO, respectively; by definition, τ LO ∪ τ H I = τ and τ LO ∩ τ H I = ∅ hold.
A task τ i invokes a series of jobs, and the n-th job J n i is released at r n i and finished at f n i . We use J i (likewise r i and f i ) if it indicates an arbitrary job released by τ i . We assume that the release times of two jobs that are consecutively released by the same task τ i are at least T i apart from each other. We call a released job before its completion an active job. The absolute deadline d n i of a job J n i is defined as d n i = r n i + D i . We use J i , when it denotes an arbitrary job of τ i . J n i is schedulable if it completes its execution before d n i , and τ i is schedulable if every job released by τ i is schedulable. In addition, τ is schedulable if all tasks in τ are schedulable.
We consider global, preemptive, and work-conserving FP and EDF scheduling. Scheduling with these characteristics enables an active job to migrate from one processor to another at every scheduling decision (e.g., a job release, completion, and priority demotion), assigns a processor to its higher-priority job, and processors are always utilized by active jobs if any. Fixed-priority scheduling assigns a priority to a task rather than a job, and thus all jobs released by the same task have the same priority. On the other hand, EDF assigns a priority to a job rather than a task. Table 1 lists up notations used throughout this paper. the lower bound of the contention-free slots for τ i ∈ τ H I , assuming that a mode transition occurs at r i + the interference I H I k←i ( , ) of τ i on τ k ∈ τ H I , assuming that a mode transition occurs at r i + The considered MC systems support two operating modes, LO-and HI-modes, respectively. The system starts in the LO-mode, and the system transition to HI-mode occurs at a time instant when any job J i executes for more than its C LO i . After a mode transition, we assume that jobs of tasks τ i ∈ τ H I execute for up to C H I i , and jobs of tasks τ i ∈ τ LO are aborted (i.e., dropped). A task set τ scheduled on the MC systems is said to be schedulable if and only if the following is satisfied:

•
In the LO-mode, every task τ i ∈ τ is schedulable; and • In the HI-mode, every task τ i ∈ τ H I is schedulable.

MC-CF
In this section, we first describe existing MC scheduling as background. We then present the way in which MC-CF effectively schedules tasks by utilizing the notion of contention-free slots.

MC-CF Scheme
MC-CF scheme utilizes the notion of contention-free slots that is formally defined as follows. Definition 1. (contention-free slot (from [13])): A time slot is called contention-free if the number of active jobs is less than or equal to the number of processors m at the slot; it is called a contending slot, otherwise.
By definition, if the remaining execution (to be finished) of a job is less than or equal to the remaining contention-free slots that will be encountered before its deadline, the schedulability of a job is guaranteed because the remaining execution can proceed without any contention. The underlying idea of the CF policy is to improve the schedulability by transferring the execution of certain jobs in contending slots to contention-free slots to improve the chances of lower-priority tasks being scheduled in contending slots. This migration of executions is conducted by relegation of the priority (at a certain time t) of jobs whose schedulabilities are guaranteed by comparing their remaining executions and contention-free slots. Let Φ LO i and Φ H I i be the lower bound of the contention-free slots that exist in an interval [r i , d i ) for τ i ∈ τ LO and τ i ∈ τ H I , respectively; the calculation of thereof is explained in detail in the next subsection. In addition, let C i be the amount of remaining execution time of J i at t to be finished and the remaining contention-free slots (also, lower bounded) that exist before d i . MC-CF exploits two separated queues Q H and Q L where any job in Q H has a higher priority than any job in Q L . The following are the detailed steps of the CF policy.
Algorithm 1 presents how MC-CF operates. Before the system starts, MC-CF calculates the lower bound of the contention-free slots Φ LO i and Φ H I i that exists in the interval [r i , d i ) for τ i ∈ τ LO and τ i ∈ τ H I , respectively (Line 1). Then, MC-CF operates the following at each time slot t (Line 2); note that the system starts in the LO-mode. If a job J i is released, then it sets the remaining contention-free i , then it moves to Q L , which implies that the remaining execution C (t) i can be performed without deadline miss even if its priority is demoted to the lowest. In addition, Φ The difference between Algorithm 1 in [13] and Algorithm 1 in our paper is as follows. In our paper, high-and low-criticality tasks have their own contention-free slots (i.e., Φ LO i and Φ H I i ), respectively (in Line 4). In addition, they have their own worst-case execution times (i.e., C LO i and C H I i ), respectively (in Line 5). Finally, Algorithm 1 in our paper support a mode transition conducted by mixed-criticality systems (in Lines 23-26).
(in the LO-mode) or C H I i (in the HI-mode). 6: Put the job in Q H . 7: end if 8: for i then 10: Move J i to Q L . 11: end if 12: end for 13: if |Q H | + |Q L | ≤ m then 14: for Each job J i in Q H do 15: . 16: end for 17: end if 18: Prioritize jobs in Q H according to the considered base algorithm. 19: for Each job J i selected among the (up to) m highest-priority jobs do 20: Update

21:
If the job is finished, remove the job from its queue. 22: end for 23: if A mode transition occurs then 24: Drop all tasks τ i in τ LO ; they are not scheduled any more. 25: for all active jobs of tasks τ i in τ H I . 26: end if 27: end for

Lower Bound of Contention-Free Slots
The key technique of MC-CF is to calculate the lower bound of the contention-free slots Φ LO i and Φ H I i that exists in an interval [r i , d i ) for each task τ i ∈ τ LO and τ i ∈ τ H I , respectively (Line 1 of Algorithm 1). The underlying idea of the technique is to calculate the upper bound of the maximum workload conducted in an interval [r i , d i ), and then derive the lower bound of contending slots in the interval. Thereafter, the lower bound of contention-free slots Φ LO i and Φ H I i is obtained by Definition 1. We first derive Φ LO i (for τ i ∈ τ LO ) with the following strategy. Let W LO i ( ) be the maximum workload of a task τ i (whose X i can be either LO or H I) in an interval of length in the LO-mode. Figure 1a shows the worst-case scenario where W LO i ( ) occurs [14]. As shown in Figure 1a, the last (i.e., the right-most job in Figure 1a) job starts its execution at r n i , and finishes it at the end of the interval of length . The remaining jobs (i.e., the left-most and middle jobs) start their executions as late as possible and end at their absolute deadlines. Considering a job J i fully executing for C LO i (e.g., the rightmost and middle jobs in Figure 1a) and jobs executing the portion of C LO i , W LO i ( ) is calculated as follows: where N LO i ( ) is the number of jobs executing for C LO i given by Then, the following derives the lower-bounded number of contention-free slots Φ LO k of τ k ∈ τ LO in an interval of length D k (i.e., for [r k , d k )) in the LO-mode. contention-free slots in [r k , d k ), which is calculated as follows: Proof. By definition, the workload (or execution) of a task τ i is upper bounded by W LO i ( ) in the LO-mode, and at least m executions are needed for a time slot to be contending. Thus, there are at least D k − min D k , Then, W LO k (D k ) is reduced to C LO k because only one job is released in [r k , d k ). Thus, the lemma holds.
Note that τ k ∈ τ LO is immediately dropped at the mode transition, and we do not care about the schedulability of the task. That is, the number of contention-free slots that exist in [r k , d k ) does not need to be considered to guarantee the schedulability for τ k ∈ τ LO in the presence of a mode transition. However, MC-CF sets Φ (t) k ← Φ LO k for τ k ∈ τ LO (Line 4 in Algorithm 1) even though it is unable to foresee the timing of the mode transition Then, the schedulability analysis proposed in Section 5 takes this behavior of MC-CF into account to judge the schedulability of τ k ∈ τ H I .
With regard to Φ H I i for τ i ∈ τ H I , we need to consider that a mode transition can occur in [r i , d i ) because such a task can execute even after the mode transition. Let W H I i ( , ) be the maximum workload of a task τ i ∈ τ H I in an interval of length assuming that a mode transition occurs at the end of ; is assumed to start at the beginning of . Figure 1b presents the scenario where W H I i ( , ) occurs. As shown in Figure 1b . Considering a job J i fully executing for C H I i (e.g., the rightmost and middle jobs in Figure 1b) and jobs executing the portion of C LO i , W H I i ( , ) is calculated as follows: where N H I i ( − ) is the number of jobs executing for C H I i given by and χ is given by Then, considering tasks τ i ∈ τ LO that are dropped at the end of , the following derives the lower-bounded number of contention-free slots Φ H I k ( ) of τ k ∈ τ H I in an interval of length D k (i.e., for [r k , d k )) for a given .

Lemma 2.
For a job J k of a task τ k ∈ τ H I scheduled by MC-CF when FP is applied, there are at least Φ H I k ( ) contention-free slots in [r k , d k ) for given , which is calculated as follows: Proof. With given , the workload (or execution) of τ i ∈ τ LO is upper bounded by W LO i ( ) and that of τ i ∈ τ H I is upper bounded by W H I i ( , ). In addition, at least m executions are needed for a time slot to be contending. Thus, there are at least D k − min D k , . Thus, the lemma holds.
Because MC-CF is unable to predict the timing of the mode transition, we need to consider all for 0 ≤ ≤ D k to derive the lower bound of contention-free slots in [r k , d k ) for τ i ∈ τ H I . Thus, Φ H I k of τ k ∈ τ H I in an interval of length D k (i.e., for [r k , d k )) with an arbitrary for 0 ≤ ≤ D k is derived as follows.
Lemma 3. For a job J k of a task τ k ∈ τ H I scheduled by MC-CF, there are at least Φ H I k contention-free slots in [r k , d k ) with an arbitrary for 0 ≤ ≤ D k , which is calculated as follows:

Schedulability Analysis for MC-CF
In this section, we propose a new schedulability analysis for MC-CF. We first present a schedulability analysis for the LO-mode by extending the existing DA for MC-CF. We then present that, in the HI-mode, higher-priority tasks are observed to interfere with a task. Note that a task set τ scheduled on the MC system is schedulable if it is schedulable for both LO-and HI-modes, as presented in Section 3. According to Lemmas 1 and 2, Φ LO k and Φ H I k can be greater than C LO k and C H I k , respectively, but we upper-bound it to C LO k and C H I k , respectively, for the correctness of the schedulability analysis that will be presented in this section.

Schedulability Analysis for LO-Mode
The underlying idea of DA is to judge whether every job J k of τ k can complete its execution in [r k , d k ) by investigating whether the upper bound of the interference is smaller than or equal to D k − C LO k for the LO-mode and D k − C LO k for the HI-mode. Before we develop DA for MC-CF in the LO-mode, we define the following notion for the LO-mode.

Definition 2. Interference I LO
k←i ( ) of τ i on τ k ∈ τ is defined as the cumulative length of all intervals in an interval of length where J k is ready to execute, but it cannot execute on any processor while jobs of τ i do in the LO-mode.
The DA for MC-CF reduces I LO k←i ( ) by exploiting the policy of MC-CF that it demotes the priority of higher-priority jobs each of which priority is guaranteed by comparing its remaining execution C (t) i and contention-free slots Φ (t) i (Lines 9-11 in Algorithm 1), and thus lower-priority jobs can execute with relatively higher priority in contending slots. The following lemma presents an important property of MC-CF in the LO-mode. Proof. When J i is released, it enters Q H , and Φ (t) We consider the following two cases: i ) contention-free slots before it moves to Q L at t . After t , the job cannot interfere with other jobs in Q H because any job in Q L has a lower priority than that of Q H . Thus, Lemma 4 implies that the amount of execution for J i of τ i ∈ τ LO (or τ i ∈ τ H I ) to interfere with other jobs is limited to in the LO-mode when MC-CF is applied. Thus, instead of counting C LO i to derive W i ( ) in Equation (1), we use max 0, ) be the maximum workload of τ i performed in contending slots in an interval of length when τ i ∈ τ LO (or τ i ∈ τ H I ) is scheduled by MC-CF in the LO-mode. Figure 2 presents the worst-case scenario where Because at least Φ LO i (or Φ H I i ) amount of execution is performed in contention-free slots, a job of execution of the last job (e.g., the right-most job in Figure 2) is included in an interval of length . Then, the previous jobs are as late as possible without a deadline miss; their first C LO executions are performed in contending slots, and the others are done in contention-free slots. With the reasoning, is calculated as follows: where N LO i ( , Φ i ) is the number of jobs executing for C LO i − Φ i given by By the definition of Then, the following provides DA for LO-mode when MC-CF is applied to FP scheduling.

Theorem 1.
A task set is schedulable under MC-CF for FP scheduling in the LO-mode if the following holds for each task τ k ∈ τ: Proof. For J k to miss its deadline in the LO-mode, J k is executed at most C LO k − 1 time units in [r k , r d ), and, at each time slot, interference from at least m other jobs is needed to block τ k 's execution. Thus, the job cannot miss its deadline if the total interference of other jobs on a job of τ k is less than We then derive schedulability analysis for EDF scheduling. Let ) be the maximum execution higher priority jobs performed in contending slots in an interval of length = D k when τ i ∈ τ LO (or τ i ∈ τ H I ) is scheduled by MC-CF with EDF scheduling in the LO-mode. Figure 3 presents the worst-case scenario where is calculated as follows: where EN LO i ( , Φ i ) is the number of jobs executing for C LO i − Φ i given by By the definition of Then, the following provides DA for LO-mode when MC-CF with EDF scheduling is applied.

Theorem 2.
A task set is schedulable under MC-CF with EDF scheduling in the LO-mode if the following holds for each task τ k ∈ τ: Proof. The proof is the same as Theorem 1.

Schedulability Analysis for HI-Mode
According to the policy of MC-CF, tasks in τ LO are dropped at the mode change, and thus we consider the schedulability of tasks in τ H I in the HI-mode. Before we develop DA for MC-CF in the HI-mode, we define the following notion for HI-mode as follows.

Definition 3. Interference I H I
k←i ( , ) of τ i on τ k ∈ τ H I is defined as the cumulative length of all intervals in [r k , d k ) where J k is ready to execute, but it cannot execute on any processor while jobs of τ i do, which assumes that a mode transition occurs at r k + for < D k .
Similar the LO-mode case, DA for MC-CF reduces I H I k←i ( , ) by exploiting the priority-demotion policy of MC-CF in the HI-mode (Lines 9-11 in Algorithm 1). The following lemma presents an important property of MC-CF in the HI-mode. Let W H I i ( , , Φ H I i ) denote the maximum workload of τ i ∈ τ H I performed in contending slots in an interval of length when τ i is scheduled by MC-CF with FP scheduling, which assumes that a mode transition occurs when the amount of time elapses from the beginning of the interval of length . Figure 4 presents the worst-case scenario where W H I i ( , , Φ H I i ) occurs. As shown in Figure 4, only C H I i − Φ H I i amount of execution of the last job after a mode transition (e.g., the right-most job in Figure 2) is included in an interval of length . Then, the previous jobs are executed as late as possible without a deadline miss; the first job before the mode transition executes for C LO i − Φ H I i , and the second job experiencing the mode transition executes for C H I i − Φ H I i in contending slots. With the reasoning, W H I i ( , , Φ H I i ) is calculated as follows: where N H I i ( − , Φ H I i ) is the number of jobs executing for C H I i − Φ H I i given by and χ Φ is given by By the definition of W H I i ( , , Φ H I i ) and I H I k←i ( , ), . Then, the following provides DA for HI-mode when MC-CF is applied.

Lemma 6.
A task set is schedulable under MC-CF in the HI-mode if the following holds with given for each task τ k ∈ τ H I : Proof. For J k to miss its deadline in the HI-mode, J k is executed at most C H I k − 1 time units in [r k , r d ), and, at each time slot, interference from at least m other jobs is needed to block τ k 's execution. Thus, the job cannot miss its deadline if the total interference of other jobs on a job of τ k is less than m · (D k − (C H I i − 1)).
Since MC-CF cannot predict the timing of the mode transition, we need to consider all for 0 ≤ ≤ D k to guarantee the schedulability of τ k ∈ τ H I in the HI-mode. Thus, the following theorem completes DA for MC-CF for HI-mode. (18) holds for every 0 ≤ ≤ D k and each task τ k ∈ τ H I We then derive schedulability analysis for EDF scheduling. Let E H I i ( , , Φ H I i ) denote the maximum execution of higher-priority jobs performed in contending slots in an interval of length = D k when τ i is scheduled by MC-CF with EDF scheduling, which assumes that a mode transition occurs when the amount of time elapses from the beginning of the interval of length . Figure 5 presents the worst-case scenario where E H I i ( , , Φ H I i ) occurs. The difference with Figure 4 is that the last job's deadline cannot be later than the end of . With the reasoning, E H I i ( , , Φ H I i ) is calculated as follows:

Theorem 3. A task set is schedulable under MC-CF with FP scheduling in the HI-mode Equation
where is the number of jobs executing for C H I i − Φ H I i given by and χ Φ is given by By the definition of E H I i ( , , Φ H I i ) and I H I k←i ( , ), when EDF is applied. Then, the following provides DA for HI-mode when MC-CF with EDF scheduling is applied.

Lemma 7.
A task set is schedulable under MC-CF with EDF scheduling in the HI-mode if the following holds with given for each task τ k ∈ τ H I : Proof. The proof is the same as Lemma 6.
The following theorem completes DA for MC-CF with EDF scheduling for HI-mode. (22) holds for every 0 ≤ ≤ D k and each task τ k ∈ τ H I

Evaluation
In this section, we evaluate the performance of the proposed MC-CF under various environmental settings. We modified the simulation program used in [13] to accommodate the features of mixed-criticality. The simulation code is implemented by JAVA and runs on a desktop machine (e.g., equipped with Intel i5-9400F CPU and 32 GB RAM). It provides a number of functions regarding task set generation, scheduling simulation, and schedulability analysis. We consider RM scheduling EDF scheduling as base scheduling algorithms in which the proposed MC-CF is applied. We randomly generates task sets with various input factors; then, we measure the number of task sets deemed schedulable by DA designed for RM, RM with MC-CF, EDF and EDF with MC-CF (represented by MC-RM, MC-CF-RM, MC-EDF, and MC-CF-EDF, respectively).
We use MC-tailored UUnifast-discard [28,29] to randomly generate task sets, which is a popular technique to evaluate the performance of the schedulablity analysis developed for multiprocessors. UUnifast-discard basically considers three input parameters to generate task sets: the number of processors m, the number of tasks n, and task set utilization U = ∑ τ i ∈τ C LO i /T i . As we consider MC systems, we further consider two input parameters [9]: CF defined by C H I i /C LO i , and CP defined as the probability of each task τ i having X i = HI. For our evaluation settings, we have m = {4, 8}, n = {m + 2, m + 4, · · · , 20}, U = {0.05m, 0.1m, · · · , 0.8m}, CF = {2, 3, 4}, and CP = {0.1, 0.3, 0.5, 0.7, 0.9}. Given the three inputs m, n, and U, UUnifast-discard first determines every task's utilization u i = C LO i /T i , Then, T i of each task is uniformly chosen in [1,1000], and C L i O is determined by C LO i = u i · T i ). Thereafter, X i is selected as H I with probability CP, otherwise X i is determined as LO. If X i = H I, C H I i is set to (CF · C LO i ). We generate 100 task sets for each setting, thereby yielding 100 * (8 + 6) * 16 * 3 * 5 = 336,000 task sets in total. Figure 6 presents the evaluation results to compare the performance of MC-RM and MC-CF-RM in different evaluation settings. Figure 6a-l show the number of task sets over varying task set utilization with different values of m, CP, and CF. The performance gap between MC-CF-RM and MC-RM becomes larger for smaller CP and CF, and thus it becomes smaller for larger CP and CF as shown in Figure 6a,f. This is because the performance improvement resulting from the CF policy is determined by the value of Φ LO i and Φ H I i as Equation (9) and (15) indicate, but Φ H I i is derived in a rather pessimistic way as it considers every for 0 ≤ ≤ D k . Such the inevitable drawback for deriving Φ H I i is from the characteristic of normal MC systems such that it is not clairvoyant with respect to the timing of a mode transition. Thus, task sets having smaller LO-criticality tasks τ i ∈ τ H I can have a higher chance to be schedulable under MC-CF. As presented in Figure 6g,l, a similar trend is shown for m = 8 with m = 4. In addition, a similar trend is observed in Figure 6m Figure 7, compared to Figure 6, the performance gap between MC-EDF and MC-CF-EDF is much prominent. This is because -RM series considered the FP scheduling that interference from lower-priority tasks (and jobs) are not considered when the schedulability of a task is judged, while -EDF series considered EDF scheduling and interference from all tasks (and jobs) other than τ k are considered. This implies that upper bounded interference from higher-priority tasks under FP is normally (but not always) smaller than EDF when we applied our proposed DA test. Figure 8 plots the number of task sets deemed schedulable under MC-CF-RM by varying the value of U for fixed values of m, CP, and CF. In Figure 8, n = x represents the experimental results from task sets in which each task set contains x tasks. Thus, a task in a task set with a smaller number of n and the same U may have higher task utilization u i . This leads to the phenomenon shown in Figure 8 such that lower n results in higher performance. This is because the underlying idea of DA is to add up the worst-case workload of higher-priority tasks according to Theorem 1 and Lemma 6. The worst-case workload derived in this way is the upper-bounded workload rather than the exact one, and thus the pessimism becomes prominent as n increases. As seen in Figure 8a, n = 6 and n = 20 yield the highest and lowest performance, respectively, for m = 4, CP = 0.1, and CF = 2. Compared to the combination of m = 4, CP = 0.1, and CF = 2 (Figure 8a), that of m = 4, CP = 0.9, and CF = 4 (( Figure 8b) deliver lower performance because the task sets in the setting contain a higher number of HI-criticality tasks.

Conclusions
We propose MC-CF for MC multiprocessor systems and MC-CF tailored schedulability analysis to support it. We defined the notion of contention-free slots for two different criticalities (of MC systems) of tasks, proposed a technique to specify an upper bound for the amount to be utilized for each task, and finally explained the systematic utilization of contention-free slots to improve the schedulability of MC multiprocessor systems. Next, we developed DA for MC-CF. Using the experimental results with various environmental settings, we demonstrated that MC-CF can significantly improve the schedulability of fixed-priority scheduling. As a limitation of the proposed MC-CF and DA, it derives the lower bound of contention-free slots and judges the schedulability of a HI-criticality task in a rather time-consuming way. In the future, we plan to develop a less time-consuming method to overcome the aforementioned limitation. In addition, considering heterogeneous platforms appears to be promising for future work.