FR3060149A1 - METHOD FOR DIAGNOSING TASK SCHEDULING - Google Patents

Abstract

The present invention relates to a diagnostic method, for a computer system comprising at least two paired recurring tasks (T1-T3), comprising the following steps: updating a counting means of a dedicated number of occurrences at a recurrent task (T1-T3), at each new occurrence of said recurring task (T1-T3), comparing the respective counting means of said at least two recurring tasks (T1-T3) matched with expected values, an inconsistency at least one of the counting means with its expected value being indicative of an error.

Description

Holder (s): CONTINENTAL AUTOMOTIVE FRANCE Simplified joint-stock company, CONTINENTAL AUTOMOTIVE GMBH.

Extension request (s)

Agent (s): CONTINENTAL AUTOMOTIVE FRANCE Simplified joint-stock company.

105 / METHOD FOR DIAGNOSING A TASK SCHEDULE.

FR 3 060 149 - A1 _ The subject of the present invention is a diagnostic method for a computer system comprising at least two recurrent paired tasks (T1-T3), comprising the following steps: updating of a counting means d '' a number of occurrences dedicated to a recurring task (T1-T3), during each new occurrence of said recurring task (T1-T3), comparison of the respective counting means of said at least two recurring tasks (T 1-T3) matched with expected values, an inconsistency of at least one of the counting means with its expected value being indicative of an error.

!

-5>.

'K.' V -, .- ;?

"Jffl ί Lî'R £

--K · - "

L ..........

.i., ... X -p, -θ ïb,> " ·. ') ............ -S J -r X r- ···· -............. C -! 'R is3.5

there J!

The present invention relates to a computer system comprising at least two recurring paired tasks, and more particularly to a method for diagnosing a task scheduling error.

In the field of task scheduling, in a known manner, an operating system performs task scheduling while respecting several types of constraints which may be contradictory. Thus he must respect rules of precedence between certain tasks, but also react according to events from the industrial system controlled. Some of these events are noticeably predictable in that they are recurrent and periodic and entail a determined load that is substantially constant. Others of these events are less predictable in that they are random and / or recurrent but not periodic and / or require a variable load. This can cause an execution unit, reacting to such unforeseen events, to have to execute more tasks than its nominal load allows it and thus find itself in overload. In order to avoid such a harmful overload, the operating system arbitrarily deletes as many tasks as necessary, typically where the tasks that exceed the nominal load. The problem which then arises, the operating system usually not informing about its deletion action, is to diagnose such a deletion situation.

In order to respond to this problem, the invention proposes to monitor recurring tasks and to comparatively count the occurrences of paired recurring tasks, in order to be able to detect an inconsistency.

The subject of the invention is a diagnostic method for a computer system comprising at least two recurring paired tasks, comprising the following steps:

• updating of a means of counting a number of occurrences dedicated to a recurring task, during each new occurrence of said recurring task, • comparison of the respective counting means of said at least two recurring tasks paired with values expected, an inconsistency of at least one of the counting means with its expected value being indicative of an error.

According to another characteristic, the hardware part of the computer system comprises at least two execution units.

According to another characteristic, said at least two paired recurrent tasks are synchronous with one another, respectively multiple with a relative recurrence ratio, and the expected values of their respective number of occurrences are equal, respectively in a ratio equal to the ratio of their relative recurrence .

According to another characteristic, said at least two recurring paired tasks are chained and are ordered in a chain, and a next task in the chain can only start if the previous task in the chain is started and / or is finished, and the expected values of their respective number of occurrences are equal.

According to another characteristic, said at least two recurrent paired tasks are hierarchical, a mother task starting the first triggers the execution of at least one daughter task and does not end until all of its daughters are finished, and the values expected from them. respective number of occurrences are equal.

According to another characteristic, the updating of a means of counting a number of occurrences dedicated to a recurring task is carried out by said task.

According to another characteristic, the comparison step takes into account a previously detected inconsistency, in order to detect only a new error.

According to another characteristic, the comparison step tolerates an inconsistency below a threshold.

According to another characteristic, for multiple tasks, the comparison step is carried out after updating the counting means dedicated to the task of lower recurrence, preferably by said task of lower recurrence.

According to another characteristic, for chained tasks, the comparison step is carried out after updating the counting means dedicated to the last task in the chain, preferably by said last task in the chain.

According to another characteristic, for hierarchical tasks, the comparison step is carried out after updating the counting means dedicated to the last daughter task and after updating the counting means dedicated to the mother task, preferably by the mother task.

According to another characteristic, for chained tasks, a single counting means, preferably a binary flag, is used for a chain, the updating step activating the counting means during the execution of a first task of the chain and deactivating the counting means during the execution of a last task in the chain, the expected value of the counting means being "deactivated" before the execution of a first task in the chain and after execution of a last task in the chain.

According to another characteristic, the update step verifies that the counting means is deactivated before activating it.

According to another characteristic, said computer system controls an industrial system, such as an automobile engine.

According to another characteristic, the data of the counting means is stored in a memory shared between all the tasks.

According to another characteristic, the implementation of a counting means comprises a cyclic counter.

The detailed description below is given in relation to drawings in which:

- Figures 1A and 1B show a block diagram illustrating a scheduling error,

- Figure 2 shows a time diagram illustrating an embodiment of the method for hierarchical tasks and for multiple tasks.

Other characteristics, details and advantages of the invention will emerge more clearly from the detailed description given below for information.

Figures 1A and 1B illustrate a possible problem leading to the deletion of a task. We are here in the presence of three tasks T1, T2, T3. These three tasks T1-T3 result from the same processing, divided into three tasks, in order to be able to be executed in a distributed manner over three execution units AO, A1, A2. An execution unit can be a core or core of the same processor or a processor. The three tasks must be scheduled in such a way as to respect the same constraints as when running on a single thread. A first constraint is that these tasks T1-T3 are chained, a next task in the chain can only start when the immediately preceding task is finished, some data from a previous task can be used in a next task. In addition, time is divided into time intervals depending on the position of the engine, called segments or cylinders Cyl1, Cyl2, and determining a period of validity of certain parameters. A second constraint is that all the tasks of the same T1T3 chain must be executed in the same cylinder.

Figure 1A illustrates nominal operation. Here, the time / charge available for cylinder Cyl1 is sufficient to allow the successive execution, in order, of the three tasks T1-T3.

However, the time / charge available for cylinder Cyl1 is variable. The load of an A0-A2 execution unit can be reduced by an exceptional superposition of random events coming from the industrial system controlled. The time allotted to a cylinder can also vary.

Thus in an example of application where the computer system is an automobile engine control system, the duration of a cylinder Cyl1, Cyl2 is inversely proportional to the engine speed.

For these two reasons, the available charge or the time allocated to a cylinder may become insufficient for the chained execution of the three tasks T1-T3 during the cylinder Cyl1. Also as shown in Figure 1B, the occurrence of task T3 for cylinder Cyl1 cannot be executed during Cyl1 and is deleted by the operating system. The risk is then that it will be confused with the occurrence of task T3 for the next cylinder Cyl2.

This deletion is very detrimental in that it can, in extreme cases, lead to engine failure. In addition, the operating system does not report any information regarding this deletion. It is therefore necessary to find a method for diagnosing such suppression. The diagnostic process provides a very advantageous tool in the development phase, enabling erratic scheduling problems that are otherwise very difficult to identify, to be detected as soon as possible and in detail.

For this, the invention uses the presence, in the software part of the computer system, of at least two recurring paired tasks. The basic idea of the invention is to take advantage of the predictability of recurring tasks and their matching in order to detect a deletion of one of these at least two tasks. In fact, two such paired tasks have correlated execution dynamics and must, in nominal operation, have similarly correlated numbers of occurrences. Any inconsistency regarding the expected operation is indicative of an error.

For this, the invention uses a means of counting a number of occurrences dedicated to a recurring task. The diagnostic method comprises the following steps: updating of a means of counting a number of occurrences dedicated to a recurring task, during each new occurrence of said recurring task, and comparison of the respective counting means of said recurrent tasks. minus two recurring tasks matched with expected values. Thus in nominal operation, the means for counting said at least two paired tasks must have values consistent with the expected and predictable values as a function of the relative dynamics of the paired tasks. Any inconsistency of at least one of the counting means with its expected value is indicative of an error, typically indicative of a task deleted.

According to one characteristic, the hardware part of the computer system comprises at least two execution units. It is important to note that the invention is applicable to a computer system comprising only one execution unit. However, the problem diagnosed, namely the deletion of a task, can occur only in a system comprising at least two execution units. The invention is therefore particularly advantageous for such a system.

Now is the time to define the concept of pairing. Said at least two recurring paired tasks are synchronous with one another. Synchronicity must be understood here in a wide way in that the said two tasks are correlated over time. The two tasks can be executed at the same time, execute with the same time interval separating them, or even be multiple in that a fast task is executed n times while a slow task is executed once , n, a relative recurrence ratio not necessarily being whole.

Synchronous paired tasks (between them) can be periodic (and therefore synchronous with time). This is the case, for example, with a clock task, which runs periodically every 10 ms. This task is then multiple of a task executing periodically every 100ms, with a recurrence ratio equal to 10.

Synchronous paired tasks (between them) can be recurrent without being periodic. We call these aperiodic tasks. This is the case, for example of a “segment” task from a heat engine and indicating a reference, for example an angular position preceding by a fixed angular interval given the top dead center of a cylinder, at each revolution of crankshaft. A “half-segment” task indicating a reference shifted by a motor half-turn is then paired synchronously with the “segment” task. Similarly, a task indicating the top dead center of all the cylinders is paired multiple of the “segment” task with a recurrence ratio equal to the number of engine cylinders.

It is possible to compare at least two synchronous paired tasks, as long as they all belong to the same type: periodic or aperiodic.

If the paired tasks are simply synchronous: the relative recurrence ratio n being equal to 1, the expected values of their respective number of occurrences must be equal, in nominal operation. Any difference detected indicates an inconsistency and therefore an error.

If the paired tasks are multiple synchronous: with a relative recurrence ratio n other than 1, the expected values of their respective number of occurrences must be in a ratio equal to the ratio n of their relative recurrence, in nominal operation. Any difference detected indicates an inconsistency and therefore an error.

In order to clarify this notion of synchronicity, two particular examples of synchronous paired tasks (single or multiple) will now be given: chained tasks and hierarchical tasks.

Chained tasks are ordered within a chain and verify a linking condition which can be chosen from two. Thus a following task can only start if the preceding task is started or alternately, and as illustrated in the example of FIGS. 1A and 1B, a following task can only start if the preceding task is finished. Tasks thus chained are paired in that all the tasks of the same chain must be executed substantially at the same time, in sequence, and above all must have an identical number of occurrences. Also, the expected value for each respective occurrence number is that the occurrence numbers must be equal to each other.

Another example of synchronous tasks relates to hierarchical tasks. Hierarchical tasks are linked by a hierarchical report. A mother task (or master (sse) or superior (e) or primary) begins the first and ends the last. During its execution, it triggers the execution of one or more daughter tasks (or slave or subordinate or secondary). The mother task then waits until all of her daughters are finished before she can finish it herself. Tasks thus prioritized are paired in that all the tasks of the same mother / daughter set must be performed substantially at the same time, in a given order and generally repeatable. These tasks, mother and daughters, must therefore, if a daughter task is triggered only once by the mother task, have an identical number of occurrences. Also, the expected value for each respective occurrence number, both of the parent task and of the daughter task (s) is that the occurrence numbers must be equal to each other. In the case where a daughter task is triggered p times, multiple synchronicity appears and the number of occurrences of said daughter task must be p times that of the parent task.

It is obviously possible to combine the two previous examples: a parent task is typically used to trigger as daughter tasks the chained tasks of a chain.

Until now, the software organization has not been discussed in detail, in particular which task performs the process operations: update and comparison, or on which execution unit. This is justified by the fact that any organization, centralized or distributed, can be envisaged to implement the principles described.

Thus, according to one embodiment, a single central task can carry out all of the updating operations and / or of the comparison operations.

Alternatively according to a preferred embodiment, the updating of a means of counting a number of occurrences dedicated to a recurring task is carried out by the task itself.

When a first task is deleted, an inconsistency, typically in the form of a counting means which does not have the expected value, is created. In a subsequent comparison, this inconsistency, if maintained, will induce the comparison step to determine an error, even if no new error has occurred in the meantime, since the last comparison. Also in order to avoid this “memorization” of the inconsistency, according to an advantageous characteristic, the comparison step takes account of any previous inconsistencies which have led to detecting an error and only detects an error in the case of a new error. causing a new inconsistency.

This can be done according to at least two embodiments. According to a first embodiment, when an error is detected, all the counting means are reset, in that they take an initial value, for example zero, or the counting means showing an inconsistency are corrected by what they take the value they should have taken, the expected value. Thus the inconsistency is removed at the source and a new comparison will not detect an inconsistency, unless a new error has occurred in the meantime.

According to another embodiment, an indication of the inconsistency is stored, such as a shift between the counting means and its expected value. Thus during a new comparison, the comparison step can take account of the inconsistency or inconsistencies previously detected by means of the corresponding memorization or memorizations and verify, by integrating the corresponding offsets that the counting means displays a value in coherence with the expected value. If, taking into account all of the memorized inconsistencies, an inconsistency still persists, this is indicative of the occurrence of a new error in the meantime.

When a fault manager interprets an error, it is possible to reset the counters.

A comparison step has so far been described detecting an error when a task is first deleted. Alternatively, it is possible to carry out a slightly more tolerant comparison step. Thus by means of a more or less significant tolerance threshold, corresponding to a greater or lesser inconsistency, it is possible to tolerate one or more job deletions before detecting an error.

It is advantageous to carry out the comparison step at a more favorable time, when the counting means have been updated and are more likely to be consistent.

Thus, for multiple tasks, the comparison step is preferably carried out after the updating of the counting means dedicated to the task of lower recurrence.

Here again, any task can perform the comparison step. However, particularly for a distributed architecture, the task of lower recurrence is best placed to perform this step.

Similarly, for chained tasks, the comparison step is preferably carried out after the update of the counting means dedicated to the last task in the chain.

Here again, any task can perform the comparison step. However, particularly for distributed architecture, the last task in the chain is best placed to perform this step.

Similarly, for hierarchical tasks, the comparison step is preferably carried out after updating the counting means dedicated to the last daughter task and after updating the counting means dedicated to the mother task.

Here again, any task can perform the comparison step. However, particularly for a distributed architecture, the parent task is best placed to perform this step.

It has been seen in the general embodiment, that a counting means could be dedicated to each task. In the case of chained tasks, we necessarily have the same number of occurrences for all tasks. Also, alternatively, a single counting means, preferably a binary flag, can be used for the complete chain. In this embodiment, the update step activates the counting means when a first task in the chain is executed and deactivates it when a last task in the chain is executed. Thus, in nominal operation, if the first and last tasks are executed, neither the first task nor the last task have been deleted, nor any of the intermediate tasks in the chain. Also the expected value of the counting means must be "deactivated" before the execution of a first task of the chain and after the execution of a last task of the chain and "activated" otherwise, either between the execution of 'a first task in the chain and the execution of a last task in the chain. Otherwise, at least one of the tasks in the chain has been deleted, or is not yet finished when a new segment begins, and the counting means has an inconsistent state.

The counting means can be implemented by means of a binary flag selectively raised / activated or lowered / deactivated. Equivalently a counter selectively incremented / activated or decremented / deactivated can be used.

The invention is advantageously applicable to a computer system controlling an industrial system. This industrial system can be an automobile engine, the computer system providing engine control.

Such a system manages, in addition to random events, two recurrences. A first recurrence is periodic with tasks triggered according to a fixed period (for example: 10 ms, 100 ms) in order to manage parameters sampled in real time. A second recurrence is aperiodic with tasks triggered in relation to the operation of the engine (crankshaft angular reference: for example top dead center, camshaft angular reference, etc.) in synchronization with the engine speed.

The counting means and the data associated with them must be accessible in writing by the entity (ies) which carries out the updating step and be accessible in reading by the entity (s) which performs the comparison step. These entities may be different, it is advisable to set up a means of communication of these data. Any means of communication is possible here, for example by exchanging messages. According to a preferred embodiment, this is achieved by means of a shared memory in which all the data is stored. This memory is at least shared between the task (s) performing the update and the task (s) performing the comparison. Advantageously, if necessary, this memory is shared between the execution units involved or between all the execution units.

In the general case, a counting means can be implemented by a counter counting the occurrences of an associated task, incremented with each new occurrence of said task. Advantageously, this counter is cyclic in that it counts the occurrences from 0 to N and that N + 1 is equal to 0, the counter being reset in the event of overshooting. The comparison step knows how to take account of such a cyclic counter, provided that N is large enough to avoid any confusion.

With reference to FIG. 2, a few use cases will now be described. In the left column are the occurrences of periodic parent tasks. A first mother task is executed every 10 ms. The two right columns show two execution units A and B. The parent task "10ms" triggers a child task on each of the two execution units A, B, ie a task "A 10ms" and a task "B 10ms" " Each of these three hierarchical tasks is associated with a counting means, either CTR_10ms for the parent task, CTR_A_10ms for the daughter task executed on the execution unit A, and CTR_B_10ms for the daughter task executed on the unit respectively. execution B. For the first line, everything is fine. The three counting means are equal to 25, so there is no inconsistency to report. On the next line, each of the three tasks is executed correctly and the respective counting means are updated, by an increment of 1, to the value 26. Still no inconsistency. Same as the next line where the counting means are updated to 27.

A comparison step can then compare the counting means of the mother task CTR_10ms with the counting means CTR_A_10ms, CTR_B_10ms of each of its two daughters without detecting any inconsistency indicative of an error. On the next line, the mother task and her daughter on thread A run correctly, but the daughter on thread B is deleted. During the update step, the counting means of the mother task CTR_10ms and the counting means of the daughter task A CTR_A_10ms are incremented and reach the value 28. For the daughter task B deleted, there is no no update and the associated counting means CTR_B_10ms remains unchanged equal to 27. A comparison of the counting means CTR_B_10ms of the daughter task B with the counting means CTR_10ms of the parent task or with the counting means CTR_A_10ms of the task girl A shows an inconsistency in the form of a difference of 1 indicative of an error.

This error being equal to the increment, also indicates the number, here 1, of task deleted.

For the rest of this difference of 1 is stored. Thus the difference which remains between the counters (29, 29, 28; 30, 30, 29; 31, 31, 30) is not again interpreted as an error. On the other hand, a new difference would be indicative of a new inconsistency and therefore of a new error. Thus counters 32, 32, 30, would indicate a new deletion of the child task B, while counters 32, 31, 31, would indicate a deletion of the child task A.

The 10ms task (mother) is a multiple task of a 100ms task. The relative recurrence ratio here is 10. A third occurrence of the 100ms task naturally appears after the thirtieth occurrence of the 10ms task. The comparison step can verify that the counting means CTR_10ms of the task 10ms and the counting means CTR_100ms of the task 100ms are indeed in a ratio of 30 to 3, that is to say 10, equal to the relative recurrence ratio.

The 100ms parent task is itself hierarchized with two 100ms daughter tasks A and B with which it is still possible to check the consistency. Thus each pairing enriches the diagnosis and it is possible to detect a deletion of any task belonging to at least one pairing.

Claims (16)

1. Diagnostic method, for a computer system comprising at least two recurring paired tasks (T1-T3), characterized in that it comprises the following steps: • updating of a means of counting a number of occurrences dedicated to a recurring task (T1-T3), during each new occurrence of said recurring task (T1-T3), • comparison of the respective counting means said at least two recurring tasks (T1-T3) matched with expected values, an inconsistency of at least one of the counting means with its expected value being indicative of an error. 2. Method according to claim 1, wherein the hardware part of the computer system comprises at least two execution units (A0-A2). 3. Method according to any one of claims 1 or 2, wherein said at least two recurrent paired tasks (T1-T3) are synchronous with each other, respectively multiple with a relative recurrence ratio, and where the expected values of their number d 'respective occurrence are equal, respectively in a ratio equal to the ratio of their relative recurrence. 4. Method according to any one of claims 1 to 3, wherein said at least two recurrent paired tasks (T1-T3) are chained, in that they are ordered in a chain and that a next task in the chain does not can only start if the previous task in the chain is started and / or is finished, and where the expected values of their respective number of occurrences are equal. 5. Method according to any one of claims 1 to 4, wherein said at least two recurring paired tasks are hierarchical, in that a parent task begins first, triggers the execution of at least one daughter task and does not finish only after all of its daughters are finished, and where the expected values of their respective number of occurrences are equal. 6. Method according to any one of claims 1 to 5, wherein the updating of a counting means of a number of occurrences dedicated to a recurring task (T1-T3) is carried out by said task. 7. Method according to any one of claims 1 to 6, wherein the comparison step takes into account a previously detected inconsistency, in order to detect only a new error. 8. Method according to any one of claims 1 to 7, wherein the comparison step tolerates an inconsistency below a threshold. 9. Method according to any one of claims 3 to 8, where for multiple tasks, the comparison step is carried out after updating the counting means dedicated to the task of lower recurrence, preferably by said task of lower recurrence. 10. Method according to any one of claims 4 to 9, where for chained tasks, the comparison step is carried out after the updating of the counting means dedicated to the last task in the chain, preferably by said last task chain. 11. Method according to any one of claims 5 to 10, where for hierarchical tasks, the comparison step is carried out after the updating of the counting means dedicated to the last daughter task and after the updating of the means counting dedicated to the mother task, preferably by the mother task. 12. Method according to any one of claims 4 to 11, where for chained tasks (T1-T3), a single counting means, preferably a binary flag, is used for a chain, the updating step activating the counting means during the execution of a first task (T1) of the chain and deactivating the counting means during the execution of a last task (T3) of the chain, the expected value of the counting means being “deactivated” before the execution of a first task (T1) of the chain and after the execution of a last task (T3) of the chain. 13. The method of claim 12, wherein the updating step verifies that the counting means is deactivated before activating it. 14. Method according to any one of claims 1 to 13, wherein said computer system controls an industrial system, such as an automobile engine. 15. Method according to any one of claims 1 to 14, wherein the data of the counting means are stored in a memory shared between all the tasks (T1-T3). 16. Method according to any one of claims 1 to 15, wherein the implementation of a counting means comprises a cyclic counter. 2/2 CTR 3 iûmfc-25 CIR ^ S ^ lUms- 26 CTM iOrra-27 f'r'.j '?; · ('! -. Y CTR_a_10m ₅ = 23 CTR Θ ICffls-29 US B