Using the Thread SchedulerCritical threads Parent topic: Critical threads

Bankruptcy

Bankruptcy occurs when the critical CPU time billed to a partition exceeds its critical budget.

Note: The System partition's critical budget is infinite; this partition can never become bankrupt.

It's very important that you test your system under a full load to ensure that everything works correctly, in particular to ensure that you've chosen the correct critical budgets. One method to verify this is to start a while(1) thread in each partition to consume all available time.

Bankruptcy is always considered to be a design error on the part of the application, but the system's response is configurable. QNX Neutrino lets you set a recovery policy. The options are:

Default
Do the minimum. When a partition runs out of critical budget, isn't allowed to run again until it receives more budget, i.e., the sliding-averaging window recalculates that partition's average CPU consumption to be a bit less than its configured CPU budget. After bankruptcy, enough time must pass for the calculated average CPU time of the partition to fall to its configured budget. At the very least, this means that a number of milliseconds equal to the critical budget must pass before that partition is scheduled again.
Force a reboot
This is intended for your regression testing. It's a good way of making sure that code causing an unintended bankruptcy is never accidentally shipped to your customers. We recommend that you turn off this option before you ship.
Notify
The SchedCtl() function lets you attach a sigevent to each partition. The thread scheduler delivers that sigevent when the corresponding partition becomes bankrupt. To prevent a possible flood of sigevents, the thread scheduler will deliver at most one sigevent per registration. If you want another notification, use SchedCtl() again and reattach the event to obtain the next notification. As a result, QNX Neutrino arranges the rate of delivery of bankruptcy notification to never exceed the application's ability to receive them.
Cancel
The cancel option causes the bankrupt partition's critical-time budget to be set to zero. That prevents it from running as critical until you restore its critical-time budget, either through the SCHED_APS_MODIFY_PARTITION command to the SchedCtl() function, or through the -B option to the aps modify command.

You can set the bankruptcy policy with the aps utility (see the Utilities Reference) or the SCHED_APS_SET_PARMS command to SchedCtl() (see the QNX Neutrino C Library Reference).

Whenever a critical or normal budget is changed for any reason, there is an effect on bankruptcy notification: it delays bankruptcy handing by two windows to prevent a false bankruptcy detection if a partition's budget suddenly changes, for example, from 90% to 1%.

Note: Canceling the budget on bankruptcy changes the partition's critical budget, causing further bankruptcy detections to be suppressed for two window sizes.

In order to cause the entire system to stabilize after such an event, the thread scheduler gives all partitions a two-window grace period against declaring bankruptcy when one partition has its budget canceled.

Parent topic: Critical threads