Resource Management in Multicore Automotive ... - IRCCyN
Resource Management in Multicore Automotive ... - IRCCyN
Resource Management in Multicore Automotive ... - IRCCyN
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Resource</strong> <strong>Management</strong> <strong>in</strong> <strong>Multicore</strong> <strong>Automotive</strong> Embedded Systems ∗<br />
Sylva<strong>in</strong> Cotard<br />
LUNAM Université, Université de Nantes and Renault S.A.S.<br />
<strong>IRCCyN</strong> UMR CNRS 6597 (Institut de recherche en Communications et Cybernétique de Nantes)<br />
1, rue de la Noë BP 91101<br />
F-44321 Nantes, France<br />
sylva<strong>in</strong>.cotard@irccyn.ec-nantes.fr<br />
Abstract<br />
AUTOSAR (AUTomotive Open System ARchitecture) is<br />
an <strong>in</strong>ternational development partnership created <strong>in</strong> 2003<br />
between car manufacturers, suppliers and companies specialised<br />
<strong>in</strong> electronics and <strong>in</strong>formation technology. It aims<br />
at develop<strong>in</strong>g and establish<strong>in</strong>g an open standardised architecture<br />
for E/E (Electrical/Electronic) development.<br />
Nowadays, car manufacturers have to cope with the <strong>in</strong>crease<br />
of heterogeneous functionalities while ensur<strong>in</strong>g the<br />
dependability of time-critical systems. In order to make<br />
sure that all critical services will be able to start and f<strong>in</strong>ish<br />
with<strong>in</strong> constra<strong>in</strong>ed time w<strong>in</strong>dows, their real-time behaviours<br />
have to be understood and some analys<strong>in</strong>g techniques<br />
have to be <strong>in</strong>troduced.<br />
In this paper, we propose to analyse the AUTOSAR<br />
multicore OS specification from a real-time analysis po<strong>in</strong>t<br />
of view.<br />
1. Introduction<br />
AUTOSAR (AUTomotive Open System ARchitecture)<br />
[4] is an <strong>in</strong>ternational development partnership created <strong>in</strong><br />
2003 between car manufacturers, suppliers and companies<br />
of electronics and <strong>in</strong>formation technology. It aims at develop<strong>in</strong>g<br />
and establish<strong>in</strong>g an open standardised architecture<br />
for E/E (Electrical/Electronic) systems.<br />
Dur<strong>in</strong>g the past 15 years, the <strong>in</strong>creas<strong>in</strong>g number of services<br />
provided <strong>in</strong> vehicles caused the evolution of E/E<br />
systems from federated architectures (one function per<br />
Electronic Control Unit (ECU)) to <strong>in</strong>tegrated architectures<br />
(several functions per ECU). The new organisation proposed<br />
by AUTOSAR illustrate this trend. In order to<br />
pursue this evolution, multicore ECU architectures (composed<br />
by two or more cores on the spare die) appear to<br />
be the best trade-off between price, performance and ability<br />
to develop time-critical systems. However, we have to<br />
cope with new challenges concern<strong>in</strong>g the development of<br />
∗ This work has been supported by Renault S.A.S., 1 Avenue du Golf,<br />
78280 Guyancourt - France<br />
such systems. For example, car manufacturers need to be<br />
able to perform real-time analysis <strong>in</strong> order to make sure<br />
that critical subsystems (e.g. X-by wire) will always execute<br />
correctly with<strong>in</strong> their tim<strong>in</strong>g requirements.<br />
Our work aims at understand<strong>in</strong>g and master<strong>in</strong>g the AU-<br />
TOSAR multicore OS specification. More precisely, this<br />
paper focuses on the predictability of such system with a<br />
focus on the real-time behaviour.<br />
Other works are already available. In [1], it is shown<br />
how AUTOSAR can be analysed with schedul<strong>in</strong>g theory<br />
techniques us<strong>in</strong>g the MAST tools. The work deals with<br />
distributed applications but does not take multicore concept<br />
<strong>in</strong>to consideration. In [7], it is shown that the global<br />
schedul<strong>in</strong>g problem <strong>in</strong> AUTOSAR multicore OS can be<br />
divided <strong>in</strong>to two <strong>in</strong>dependent sub-problems: partition<strong>in</strong>g<br />
a set of runnables, and then build<strong>in</strong>g the schedule on each<br />
core. The authors propose a set of algorithms <strong>in</strong> order to<br />
directly f<strong>in</strong>d a schedulable scheme whereas we are <strong>in</strong>terested<br />
here <strong>in</strong> the analysis of a given configuration. F<strong>in</strong>ally,<br />
[6] presents the adequacy of AUTOSAR OS specification<br />
with real-time schedul<strong>in</strong>g theory <strong>in</strong> uniprocessor systems.<br />
The outl<strong>in</strong>e of the paper is as follows. Section 2 gives<br />
an overview of the AUTOSAR multicore OS specification.<br />
Section 3 describes a schedulability analysis for AU-<br />
TOSAR multicore OS applications. F<strong>in</strong>ally, section 4 concludes<br />
the paper.<br />
2. The AUTOSAR multicore OS specification<br />
The AUTOSAR OS specification [2] is based on the<br />
OSEK/VDX operat<strong>in</strong>g system v2.2.2 [8]. The AUTOSAR<br />
multicore OS specification (release 4.0) [3], used <strong>in</strong> order<br />
to perform the work presented <strong>in</strong> this section, is derived<br />
from the exist<strong>in</strong>g AUTOSAR OS specification.<br />
In the AUTOSAR software architecture, the OS (either<br />
uniprocessor or multicore) is ma<strong>in</strong>ly responsible for<br />
schedul<strong>in</strong>g tasks and ISRs (Interrupt Service Rout<strong>in</strong>es)<br />
hosted by an ECU.<br />
Accord<strong>in</strong>g to AUTOSAR multicore OS, all cores shall<br />
use the same <strong>in</strong>struction set and provide access to a shared<br />
memory. The number of cores that can be controlled by
the AUTOSAR OS shall be configured offl<strong>in</strong>e and it is<br />
forbidden to either restart cores or <strong>in</strong>sert additional ones.<br />
2.1 Task schedul<strong>in</strong>g approach<br />
AUTOSAR OS def<strong>in</strong>es an OS-Application as a collection<br />
of OS entities form<strong>in</strong>g a cohesive functional unit.<br />
Ma<strong>in</strong>ly, this <strong>in</strong>cludes tasks, ISRs, alarms, hooks and<br />
schedule tables. All OS objects with<strong>in</strong> the same OS-<br />
Application can access each other us<strong>in</strong>g dedicated APIs<br />
(e.g. it is mandatory to use synchronisation mechanism<br />
to handle <strong>in</strong>ter-core communication). In order to comply<br />
with the specification, an OS Application is statically assigned<br />
to a core what leads to a partitioned system.<br />
The schedul<strong>in</strong>g strategy def<strong>in</strong>ed <strong>in</strong> AUTOSAR OS applies<br />
<strong>in</strong>dependently for each <strong>in</strong>dividual core. A fixed priority<br />
is assigned to each task off-l<strong>in</strong>e. When the scheduler<br />
is <strong>in</strong>voked, it checks among all the ready tasks and selects<br />
to one with the highest priority for execution. If more than<br />
one task share the same priority, FIFO is used as a second<br />
criterion to break ties. It is also possible to choose if the<br />
preemption of a task is allowed or not. This leads to a<br />
mixed preemptive policy.<br />
2.2 Synchronization strategy<br />
In uniprocessor AUTOSAR systems, shared resources<br />
management is handled by the IPCP protocol (Immediate<br />
Priority Ceil<strong>in</strong>g Protocol) [6] what limits the block<strong>in</strong>g<br />
time due to execution of lower priority tasks. When a task<br />
gets a shared resource, its priority is immediately raised<br />
to the resource ceil<strong>in</strong>g priority. The ceil<strong>in</strong>g priority of the<br />
resource must be greater than the base priority of all tasks<br />
that can access this resource so that the schedul<strong>in</strong>g policy<br />
enforces mutual exclusion.<br />
For multicore systems, AUTOSAR allows the shar<strong>in</strong>g<br />
of resources among cores but IPCP is not efficient <strong>in</strong> this<br />
context. To illustrate the <strong>in</strong>efficiency of IPCP, let us consider<br />
the case of a resource shared by two tasks on different<br />
cores. The first one enters its critical section and its<br />
priority is raised to the resource ceil<strong>in</strong>g priority. However,<br />
this will not prevent the other task from enter<strong>in</strong>g its critical<br />
section because schedulers on both cores are <strong>in</strong>dependent.<br />
In multicore AUTOSAR systems, synchronization is<br />
done us<strong>in</strong>g the sp<strong>in</strong>lock mechanism. Sp<strong>in</strong>lock refers to<br />
a busy wait<strong>in</strong>g technique that polls a shared lock variable<br />
until it becomes available. Usually, this technique relies<br />
on HW facilities such as test-and-set or compare-&-swap<br />
<strong>in</strong>structions but it can also be implemented <strong>in</strong> software us<strong>in</strong>g<br />
for <strong>in</strong>stance the Dekker algorithm [5] or the Peterson<br />
algorithm [9].<br />
As synchronization based on sp<strong>in</strong>lock has not been designed<br />
for time critical systems, we can observe deadlock<br />
and starvation situations as discussed <strong>in</strong> section 3.1. To<br />
face these problems, other protocols such as MPCP or<br />
MSRP (<strong>Multicore</strong> extension of Priority Ceil<strong>in</strong>g Protocol<br />
and Stack <strong>Resource</strong> Policy) can be used as proposed <strong>in</strong><br />
[11].<br />
3. Schedulability Analysis of AUTOSAR multicore<br />
OS applications<br />
3.1 Recommendation for us<strong>in</strong>g sp<strong>in</strong>locks<br />
Let us consider the case where five tasks are distributed<br />
on two cores as illustrated <strong>in</strong> Figure 1(a). τ 1 1 , τ 1 2 , τ 2 1 , τ 2 2 ,<br />
share the resource R, whereas τ 1 3 never takes R. A task<br />
has a priority π i (π i > π j denotes τ i has a higher priority<br />
than τ j ).<br />
Scenario lead<strong>in</strong>g to a deadlock (Figure 1(b)): On core<br />
one, τ 1 1 enters its critical section. Then, it is preempted<br />
by τ 1 2 that has a higher priority. Dur<strong>in</strong>g its execution, τ 1 2<br />
tries to enter its critical section. This leads to a deadlock<br />
situation on core 1.<br />
Scenario lead<strong>in</strong>g to a starvation (Figure 1(c)): On core<br />
2, τ 2 2 is execut<strong>in</strong>g and enters its critical section. Then, τ 1 1<br />
starts its execution on core 1 and tries to enter its critical<br />
section. As the resource is locked, τ 1 1 enters a busy<br />
wait<strong>in</strong>g state. Then, τ 1 1 is preempted by τ 1 3 . Dur<strong>in</strong>g that<br />
time, τ 2 2 releases the resource. τ 2 1 is scheduled and enters<br />
its critical section. So, when τ 1 1 is scheduled aga<strong>in</strong>,<br />
it stays <strong>in</strong> the busy wait<strong>in</strong>g state. Starvation occurs when<br />
this scheme repeats <strong>in</strong>def<strong>in</strong>itely.<br />
As presented <strong>in</strong> [3], another problematic situation corresponds<br />
to the use of nested sp<strong>in</strong>locks. In this document,<br />
it is even recommended never to use nested sp<strong>in</strong>locks.<br />
A partial solution could be to disable all <strong>in</strong>terruptions<br />
before gett<strong>in</strong>g the sp<strong>in</strong>lock. This solution prevents deadlock<br />
but cannot prevent all starvation situations ma<strong>in</strong>ly <strong>in</strong><br />
multicore architectures composed of more than two cores.<br />
First, let us consider the case of two cores. If a task is<br />
busy-wait<strong>in</strong>g to enter a critical section, it will automatically<br />
w<strong>in</strong> the lock as soon as it is released. Indeed, any<br />
other task of the same core cannot take the lock (<strong>in</strong>terrupts<br />
are disabled, and no other task can be scheduled) and no<br />
task of the other core will try to get the lock immediately<br />
after it has been released (a context switch, which is not<br />
<strong>in</strong>stantaneous, is required before a task on the other core<br />
can try to get the lock) Let us consider now two tasks on<br />
two cores try<strong>in</strong>g to lock a resource taken by a third task on<br />
another core. In that case, we cannot predict exactly which<br />
of the two wait<strong>in</strong>g tasks will enter its critical section when<br />
the resource will be freed. Thus, the execution scheme<br />
cannot guarantee that starvation will not occur. This leads<br />
to a non-determ<strong>in</strong>istic behavior.<br />
3.2 Classical response time analysis (RTA)<br />
The purpose of schedulability analysis is to make sure<br />
that no time constra<strong>in</strong>t will be violated dur<strong>in</strong>g all the entire<br />
life of the system. In other words, it must be guaranteed<br />
that each task will always complete itself with<strong>in</strong><br />
its deadl<strong>in</strong>e. In order to do that, an off-l<strong>in</strong>e analysis has<br />
to be performed dur<strong>in</strong>g the application design stage. The<br />
RTA technique can be used for that purpose. This technique<br />
consists <strong>in</strong> comput<strong>in</strong>g the worst case response time<br />
of each task and compar<strong>in</strong>g this value with its deadl<strong>in</strong>e.<br />
More formally, a system is composed of a set of tasks<br />
2
Core 1<br />
τ 1 3<br />
τ 1 1<br />
τ 1 2<br />
τ 1 3<br />
τ 1 1<br />
Core 1<br />
R<br />
τ 1 2<br />
τ 2 2<br />
τ1<br />
2 τ2<br />
2<br />
Core 2<br />
(a) Tasks distribution<br />
τ 1 1<br />
Core 1<br />
R is taken Busy wait<strong>in</strong>g<br />
(b) Deadlock Illustration<br />
τ 2 1<br />
Core 2<br />
R is taken Busy wait<strong>in</strong>g<br />
(c) Starvation Illustration<br />
Figure 1. Example of problematic situation observed us<strong>in</strong>g sp<strong>in</strong>lock mechanism<br />
S = {τ i } 1≤i≤s . For the sake of simplicity, we will consider<br />
the follow<strong>in</strong>g assumptions:<br />
• All tasks are periodic, preemptive and activated for<br />
the first time at system startup.<br />
• Tasks on a same core can share resources whose accesses<br />
are controlled via the IPCP protocol. Tasks<br />
of different cores can share a same resource us<strong>in</strong>g<br />
the sp<strong>in</strong>lock mechanism. For this, as expla<strong>in</strong>ed <strong>in</strong><br />
section 3.1, we will consider only two cores to have<br />
a determ<strong>in</strong>istic behavior. Moreover, we will assume<br />
that <strong>in</strong>terrupt are disabled (resp: enable) before (resp:<br />
after) that the lock is taken (resp: freed). This is illustrated<br />
by the programm<strong>in</strong>g scheme of Figure 2.<br />
DisableAllInterrupt<br />
GetSp<strong>in</strong>Lock<br />
<br />
ReleaseSp<strong>in</strong>Lock<br />
EnableAllInterrupt<br />
Figure 2. <strong>Management</strong> of mixed resources<br />
• Each task is assigned a fixed priority which is unique<br />
relative to the core upon which it is executed. As<br />
we use IPCP synchronization protocol for local resource,<br />
the priority level of a task may vary dur<strong>in</strong>g<br />
its execution.<br />
Every task will generate an <strong>in</strong>f<strong>in</strong>ite number of jobs<br />
τ i (q). We def<strong>in</strong>e the response time of a job q as the amount<br />
of time elapsed between the <strong>in</strong>stant where the job is released<br />
for execution and the <strong>in</strong>stant of its completion. In<br />
multicore environments where tasks share resources, we<br />
need to consider all situations that <strong>in</strong>volve a block<strong>in</strong>g time<br />
<strong>in</strong> order to compute r i (q). The response time of the q th<br />
job is:<br />
r i (q) = C i + b l i(q) + b r i (q) + p i (q, r(q)) (1)<br />
where :<br />
• C i is the worst-case execution time (WCET) of τ i .<br />
• b l i (q) is the local block<strong>in</strong>g time caused by tasks that<br />
are located on the same core. This block<strong>in</strong>g time<br />
represents the time dur<strong>in</strong>g which a task can <strong>in</strong>terfere<br />
by execut<strong>in</strong>g a critical section of ceil<strong>in</strong>g priority<br />
greater than π i or a critical section protected by a<br />
disable/enable <strong>in</strong>terrupt.<br />
• b r i (q) is the remote block<strong>in</strong>g time caused by tasks of<br />
the other core when try<strong>in</strong>g to get a global resource.<br />
• p i (q, r(q)) is the <strong>in</strong>terference due to preemption, i.e.<br />
the amount of time a task can be delayed because<br />
of the execution of higher priority tasks on the same<br />
core.<br />
The worst case response time R i of τ i is def<strong>in</strong>ed by the<br />
maximum value of r i (q) among an <strong>in</strong>f<strong>in</strong>ite number of job<br />
q. Consequently, the value of R i is:<br />
R i = max {r i (q)} (2)<br />
To detail the computation of R i , we will consider the<br />
follow<strong>in</strong>g task model (illustrated on Figure 3):<br />
τ i = (T i , D i ≤ T i , π i , {C nc<br />
i,j}, {[C c i,j, S i,j , Π i,j ]}) (3)<br />
τ i<br />
<strong>Resource</strong> S i,1 <strong>Resource</strong> S i,2<br />
Π i,1 Π i,2<br />
π i<br />
Ci,1 nc Ci,1<br />
c C nc Ci,2<br />
c<br />
i,2 Ci,3<br />
nc<br />
Figure 3. Task model considered for RTA<br />
A job of a task τ i is def<strong>in</strong>ed as a set of critical and<br />
non-critical sections. Each critical section corresponds to<br />
a resource S i,j that can be shared either with tasks on the<br />
same core only, or on either core. For local resources,<br />
the ceil<strong>in</strong>g priority is denoted Π i,j and corresponds to the<br />
priority given by IPCP. For global resources, the ceil<strong>in</strong>g<br />
priority Π i,j corresponds to an "<strong>in</strong>f<strong>in</strong>ite" value (to capture<br />
the effect of <strong>in</strong>terrupt mask<strong>in</strong>g). The task τ i is periodic<br />
of period T i and has a priority π i def<strong>in</strong>ed off-l<strong>in</strong>e (π i ><br />
π j denotes τ i has a higher priority than τ j ). We denote<br />
the execution time of critical and non-critical sections Ci,j<br />
c<br />
respectively. F<strong>in</strong>ally c(i) and nc(i) respectively<br />
denote the number of critical and non-critical sections <strong>in</strong><br />
τ i .<br />
and C nc<br />
i,j<br />
T i<br />
3
We can use the def<strong>in</strong>ition given <strong>in</strong> [10] for the def<strong>in</strong>ition<br />
of the critical <strong>in</strong>stant of τ i : when τ i and tasks of<br />
higher priority on the same core are activated at the same<br />
time and the task that contributes to the maximum local<br />
block<strong>in</strong>g time has just started its execution. The remote<br />
block<strong>in</strong>g is tak<strong>in</strong>g <strong>in</strong>to account <strong>in</strong> the local block<strong>in</strong>g time<br />
(section 3.2.1).<br />
3.2.1 Local block<strong>in</strong>g<br />
τ 1 2<br />
τ 1 1<br />
critical section<br />
remote sp<strong>in</strong>n<strong>in</strong>g<br />
Core 1<br />
Figure 4. Local block<strong>in</strong>g situation<br />
As shown <strong>in</strong> Figure 4, a task can be delayed by a critical<br />
section of a task of lower priority on the same core if the<br />
resource ceil<strong>in</strong>g priority is higher than π i (filled section).<br />
This critical section can also be delayed by another one,<br />
protected by a disable/enable <strong>in</strong>terrupt (shaded section).<br />
This can occur only once, between the task release and the<br />
<strong>in</strong>stant it starts. This reduces to the follow<strong>in</strong>g equation:<br />
max<br />
l:1≤l≤c(k)<br />
Π k,l ≥π i<br />
⎛<br />
⎜<br />
⎝Ck,l c +<br />
∀q > 0, b l i(q) ≤<br />
max<br />
3.2.2 Remote sp<strong>in</strong>n<strong>in</strong>g block<strong>in</strong>g<br />
max<br />
max<br />
k:π k 0, b r i (q) ≤<br />
3.2.3 Interference<br />
∑<br />
max<br />
k:core k ≠core i 1≤l≤c(k)<br />
1≤j≤c(i)<br />
(4)<br />
max Ck,l c (5)<br />
S k,l =S i,l<br />
The <strong>in</strong>terference term due to preemptions by higher priority<br />
tasks on the same core is given by:<br />
∑<br />
⌈ ⌉<br />
ri (q)<br />
∀q > 0, p i (q) ≤<br />
∗ C k ′ (6)<br />
T k<br />
k:π k >π i<br />
core k =core i<br />
with :<br />
C ′ k = C k +<br />
∑<br />
max max<br />
m:core m≠core k 1≤n≤c(m)<br />
1≤l≤c(k)<br />
S m,n=S k,l<br />
C c m,n (7)<br />
In (7), we have to take <strong>in</strong>to consideration the WCET of<br />
higher priority task <strong>in</strong>clud<strong>in</strong>g the impact of busy wait<strong>in</strong>g<br />
period.<br />
4. Conclusion<br />
The goal of this paper was to give some results concern<strong>in</strong>g<br />
the real-time analysis for systems us<strong>in</strong>g AU-<br />
TOSAR multicore OS specification.<br />
The analysis does not assume strong hypothesis on the<br />
application. Therefore, it is very pessimistic. Indeed, for<br />
global resources, we always considered the worst case by<br />
tak<strong>in</strong>g the maximal value of the remote block<strong>in</strong>g time (<strong>in</strong><br />
equations 4,5,6). In a real scenario, we cannot determ<strong>in</strong>e<br />
if this pessimistic case will be encountered. To overcome<br />
this limitation, our future work will be to f<strong>in</strong>d how the<br />
AUTOSAR specifications could be used <strong>in</strong> a predictable<br />
way.<br />
In order to limit the non-determ<strong>in</strong>ism <strong>in</strong>duced by sp<strong>in</strong>lock,<br />
we had to def<strong>in</strong>e some restrictions on the HW by<br />
consider<strong>in</strong>g only two cores. For now, only dual-core architectures<br />
are available but <strong>in</strong> the future, we will use dies<br />
with more cores. In those cases, we will have to study<br />
other protocols such as MSRP or MPCP [11].<br />
References<br />
[1] S. Anssi, S. Tucci-Piergiovanni, S. Kuntz, S. Gérard,<br />
and F. Terrier. Enabl<strong>in</strong>g schedul<strong>in</strong>g analysis for autosar<br />
systems. In 14th IEEE International Symposium<br />
on Object/Component/Service-Oriented Real Time Distributed<br />
Comput<strong>in</strong>g, pages 152–159, 2011.<br />
[2] AUTOSAR. AUTOSAR - Specification of operat<strong>in</strong>g system.<br />
Technical Report v4.0, AUTOSAR GbR, 2011.<br />
[3] AUTOSAR. AUTOSAR - Specification of operat<strong>in</strong>g system<br />
for multicore. Technical Report v4.0, AUTOSAR<br />
GbR, 2011.<br />
[4] AUTOSAR. http://www.autosar.org. Technical report,<br />
AUTOSAR GbR, June 2011.<br />
[5] E. W. Dijkstra. Solution of a problem <strong>in</strong> concurrent programm<strong>in</strong>g<br />
control. Commun. ACM, 8(9):569, 1965.<br />
[6] P.-E. Hladik, A.-M. Deplanche, S. Faucou, and Y. Tr<strong>in</strong>quet.<br />
Adequacy between autosar os specification and realtime<br />
schedul<strong>in</strong>g theory. In International Symposium on<br />
Industrial Embedded Systems, 2003.<br />
[7] N. Navet, A. Monot, B. Bavoux, and F. Simonot-Lion.<br />
Multi-source and multicore automotive ecus - os protection<br />
mechanisms and schedul<strong>in</strong>g. In International Symposium<br />
on Industrial Electronics - ISIE, 2010.<br />
[8] OSEK/VDX. OSEK/VDX - Operat<strong>in</strong>g system. Technical<br />
Report v2.2.3, OSEK Group, 2005.<br />
[9] G. L. Peterson. Myths about the mutual exclusion problem.<br />
Inf. Process. Lett., 12(3):115–116, 1981.<br />
[10] Y. Wang and M. Saksena. Schedul<strong>in</strong>g fixed-priority tasks<br />
with preemption threshold. In Proceed<strong>in</strong>gs of the Sixth International<br />
Conference on Real-Time Comput<strong>in</strong>g Systems<br />
and Applications, 1999.<br />
[11] H. Zeng and M. Di Natale. Mechanisms for guarantee<strong>in</strong>g<br />
data consistency and flow preservation <strong>in</strong> autosar software<br />
on multi-core platforms. In 6th IEEE International Symposium<br />
on Industrial Embedded Systems, 2011.<br />
4