Conference PaperPDF Available

A decomposition approach for SMT-based schedule synthesis for time-triggered networks


Abstract and Figures

Real-time networks have tight communication latency and minimal jitter requirements. One way to ensure these requirements is the implementation of a static schedule, which defines the transmission points in time of time-triggered frames. Synthesizing such static schedules is known to be an NP-complete problem where the complexity is driven by the large number of constraints imposed by the network. Satisfiabily Modulo Theories (SMT) have been proven powerful tools to synthesize schedules of medium-to-large industrial networks. However, the schedules of new extremely large networks, such as integrated multi-machine factory networks, are defined by an extremely large number of constraints exceeding the capabilities of being synthesized by the tool alone. This paper presents a decomposition approach that will allow us to improve to synthesize schedules with up to two orders of magnitude in terms of the number of constraints that can be handled. We also present an implementation of a dependency tree on top of the decomposition approach to address application-imposed constraints between frames.
Content may be subject to copyright.
A Decomposition Approach for SMT-based Schedule
Synthesis for Time-Triggered Networks
Francisco Pozo, Wilfried Steiner, Guillermo Rodriguez-Navas, and Hans Hansson
School of Innovation, Design and Engineering, M¨
alardalen University
asteras, Sweden
Email: {francisco.pozo, guillermo.rodriguez-navas, hans.hansson}
TTTech Computertechnik AG
Vienna, Austria
Abstract—Real-time networks have tight communication la-
tency and minimal jitter requirements. One way to ensure these
requirements is the implementation of a static schedule, which
defines the transmission points in time of time-triggered frames.
Synthesizing such static schedules is known to be an NP-complete
problem where the complexity is driven by the large number of
constraints imposed by the network. Satisfiabily Modulo Theories
(SMT) have been proven powerful tools to synthesize schedules of
medium-to-large industrial networks. However, the schedules of
new extremely large networks, such as integrated multi-machine
factory networks, are defined by an extremely large number of
constraints exceeding the capabilities of being synthesized by the
tool alone.
This paper presents a decomposition approach that will allow
us to improve to synthesize schedules with up to two orders of
magnitude in terms of the number of constraints that can be
handled. We also present an implementation of a dependency
tree on top of the decomposition approach to address application-
imposed constraints between frames.
A strategy to accomplish high reliability and a clear sepa-
ration of the resources in time-triggered multihop networks is
with the definition of an offline static schedule [1]. Offline
schedules can be seen as a contract in which there is an
agreement in the way the network resources are shared. In
time-triggered communication, offline schedules define the
points in time in which every frame will be sent through
the links fulfilling a set of constraints. These constraints are
defined by network requirements and can be formulated as a
constraint problem in which a valid offline schedule is obtained
when all constraints are satisfied. Synthesizing such offline
schedules is a complex problem known to be NP-complete
[2]. Specialized constraints solvers have been usually used to
solve constraint problems [3], [4], but recently, satisfiability
solvers have started to be applied for such synthesis problems
[5]. Satisfiabiliy Modulo Theories (SMT) emerged to combine
satisfiability solvers with decision procedures expressed in
first-order logic with respect to background theories, allowing
a much easier definition of the problem and high performance
[6]. Two examples of state-of-the-art SMT solvers are Yices
[7], which we select as our synthesizer, and Z3 [8].
SMT solvers have been successfully applied to synthesize
medium-to-large time-triggered multihop networks [9], but
these networks are steadily growing faster than the compu-
tation needed to synthesize their schedules. Extremely large
networks, such as an integrated multi-machine network in
an automation factory, are defined by a large amount of
constraints that no general-purpose solver is capable to manage
and solve in a reasonable amount of time on its own. The
decomposition approach is a widely applied strategy to deal
with large complex problems, dividing the overall problem in
smaller subproblems that can be solved. Thus, we propose a
first decomposition of network schedules by groups of frames,
in which a group’s schedule is synthesized independently
of the others groups of frames and placed afterwards in
the global schedule with a translation of the time values of
every schedule. However in most cases, frames have depen-
dency constraints between them, increasing the complexity
of choosing the group of frames or with the probability
of breaking dependency constraints between subproblems on
the translation phase. We propose the implementation of a
dependency tree between frames that will allow us choosing
the desirable amount of frames per subproblem and guiding
the translation of the schedule subproblems in a way that
dependency constraints are not broken.
The main contribution of this paper is the decomposition
approach for the SMT-based synthesis of schedules that allow
us to schedule much larger time-triggered networks that also
contain dependency constraints between frames. We evaluate
the performance of our approach with different synthetic
TTEthernet networks [10] and show that our approach is
capable of speeding up the synthesis time three orders of
magnitude compared to existing synthesizers. Increasing the
performance of the synthesizer allows us to schedule larger
networks, defined by up to two order of magnitudes more
constraints. Also we evaluate the impact in the performance
for different number of dependency constraints in regards to
the synthesis time which only presents a small overhead thanks
to the implementation of the dependency tree.
We introduce related work in SMT solving, schedule
synthesis and decomposition approaches in Section II. We
then present the basic terminology of time-triggered multihop
networks, SMT-based synthesis and the definition of frame
constraints in Section III. In Section IV we discuss two decom-
position scheduling approaches. We evaluate the performance
of our approaches in Section V. Finally, we conclude in Section
978-1-4673-7929-8/15/$31.00 c
2015 European Union
978-1-4673-7929-8/15/$31.00 © 2015 IEEE
SMT solvers have been applied to various applications:
model checking [11], verification [12], automated test genera-
tion [13], synthesis of programs [14] and more. The first use
of SMT solvers to synthesize schedules [9] has been done
to schedule medium size time-triggered multihop networks.
A similar approach has been used to co-synthesize a task
and network schedule for time-triggered networked systems
[15] and to synthesize time-triggered network-on-chip static
schedules [16].
Different approaches have been studied to synthesize
schedules besides SMT-solving. Specific algorithms have
been developed to synthesize schedules for Profinet IO with
a consumer-producer approach [17]. Different satisfiability
solvers beside SMT have also been used, like SAT-solving for
task and message scheduling on bus systems [18]. Constrained-
based synthesis is also a similar approach to satisfiability,
FlexRay bus schedules were synthesized using a Mixed Integer
Programming approach [19]. Meta-heuristics have been also
used as a common approach to solve complex problems,
for example, a tabu-search has been performed to synthesize
mixed-criticallity application schedules [20].
Decomposition approaches have been widely used to solve
large complex problems that could not have been solved with
traditional approaches and also to speed up the time needed to
solve problems, a decomposition approach has been proposed
to speed up the synthesis time of mixed systems [21]. Other
work has been done to solve large optimization problems
with the decomposition approach, some examples are, a steel
plant schedule Mixed Integer Linear Programming problem
was solved with decomposition [22], or a flow shop schedule
combining a genetic algorithm with decomposition [23].
A. Network Definition
TTEthernet networks are mixed-criticality multihop net-
works composed of end systems, switches and communication
links, in which time-triggered, rate-constraint, and best-effort
traffic are combined on the same network. End systems are
the producers and consumer of frames, and can only be con-
nected to switches by communication links. However, switches
can be connected to other switches and end systems. The
physical topology of multihop networks is typically defined
by an undirected graph G(V, E )where Vrepresent the end
systems and switches of the networks, and Ethe communi-
cation links. TTEthernet is a bidirectional network, hence the
communication links are bidirectional and logically defined
by two directed unidirectional dataflow links, one for each
direction. A path that connects a vertex sender to a vertex
receiver is defined by a sequence of dataflow links declared
as dataflow path. TTEthernet also allows the grouping of
dataflow paths to permit a unique sender transmit frames to
multiple receivers with the implementation of virtual links,
defined in ARINC 664-p7 [24]. An example of a TTEthernet
network can be seen in Figure 1 in which a virtual link with
sender v1transmits the frame to two receivers v6, v7with a
group of two dataflow paths: ((v1, v4),(v4, v5),(v5, v6)) and
((v1, v4),(v4, v5),(v5, v7)).
In a frame being transmitted from a sender to one or
multiple receivers in a virtual link resides a collection of
instances of frames, where every instance of a frame is
Fig. 1: TTEthernet Network example composed of two
switches, five end systems and seven communication links
transmitted in exactly one of the dataflow link of the virtual
link. As TTEthernet is a mixed-criticality network, there are
three different classes of frames:
Time-Triggered (TT): hard real-time requirements and
follows an offline schedule.
Rate-Constrained (RC): soft real-time requirements,
guaranteed bandwidth with upper-bound latency.
Best-Effort (BE): no real-time requirements, follows
the standard Ethernet policy.
The offline schedule of a TTEthernet network contains all
the instances of all the TT frames, which are defined by a triple
f(vi,vj)={f.period, f.leng th, f(vi,vj).offset }. The period
and length of a frame instance are specified a priori by the
designer. However, the offset, which identifies the transmitting
time of the instance of the frame, has to be calculated satisfying
a set of constraints by the schedule synthesizer tool. A cyclic
scheduling of all the TT frames, with a hyper-period, is defined
by the least common multiple of all the TT frames periods [25].
The resolution of the hyper-period is defined by the reso-
lution of the TTEthernet synchronization protocol clock tick,
which produces a large range of possible offsets and therefore a
high complexity for the schedule synthesizer. One of the most
used techniques to reduce its complexity is the definition of a
hyper-period with equally sized slots or raster [26]. The size
chosen for the raster is the maximum time needed to transmit
the longest instance of a frame through any dataflow link plus
the synchronization precision. Thus, the offset range is reduced
to the number of slots in the hyper-period.
B. Scheduling Constraints
TT frames can be formulated by a series of constraints in
regards of their offset values assignments of all the network
dataflow links. In the following paragraphs we will briefly
discuss the constraints implemented in previous synthesizers
[9], which are also implemented in this paper, and explain an
extension on the application constraints.
a) Avoid-collision constraints: In time-triggered com-
munication only one frame can be transmitted at the same
time for a given dataflow link. Hence, the scheduler needs to
assign different offset values to different frames.
b) Ensure-causality constraints: A frame being trans-
mitted from a sender to its receivers through a path needs to
have the correct sequence of offsets values assigned. In order
to control the correct sequence of the frames through the path,
a switch can only relay a frame if it has been received and
after waiting a predefined number of time slots since it has
started receiving the frame, which is typically defined by one
time slot.
c) Avoid-buffer-overflow constraints: One of the most
important hardware limitations in time-triggered multihop net-
works is the memory of the switches as frames are stored in
their buffers waiting to be transmitted. To control the number
of frames that are stored at the same time and to avoid
discarding any frame, the avoid-buffer-overflow constraints set
the number of time slots that a frame can be waiting in the
switch. In this way there are a bounded number of frames that
can be at a switch at the same time.
d) Simultaneous-relay constraints: The simultaneous-
relay constraints are required for some TTEthernet applica-
tions. For a given frame in a switch that has to be relayed
through more than one dataflow links, the frame will be
dispatched at the same time.
e) Application Constraints: Task level requirements
can produce dependencies between different frames such as
application constraints in which a frame cannot be sent until
a predefined amount of time after the transmission of an-
other frame. These constraints are introduced to facilitate the
integration between network and processor level schedules.
We differentiate two different application constraints: 1) tight,
the amount of time that the successor has to wait after the
predecessor is small and it should be dispatched soon after;
2) loose, the amount of time between the predecessor and
the successor is large and there is no need to be dispatched
as soon as possible. In a factory machine network example,
tight constraints are between frames on the same machine,
meanwhile loose constraints are between frames of different
SMT solvers are capable of finding satisfiable instances
for a large number of constraints; this feature can be used for
synthesize schedules. Frame constraints are asserted into the
logical context of the solver which is checked to evaluate if
the constraints are satisfiable or not. If they are satisfiable, a
model is returned with an instance of a valid schedule.
A. Incremental SMT-based Synthesis
The incremental approach have been introduced as a suc-
cessful method to synthesize schedules up to 1,000 frames for
time-triggered multihop networks [9]. We will only present a
brief explanation needed to understand the next approaches.
The incremental approach performs different phases until no
more frames have to be scheduled:
1) Divide the frames into intervals.
2) Create the frame constraints of the interval.
3) Add the constraints into the logic context.
4) Check the satisfiability of the logic context.
5) If it is satisfiable, push the context and place the
satisfiable solution into constraints. Go to step 2.
6) It it is not satisfiable, pop the context. Go to step 3.
The code of the incremental approach can be seen in
Listing 1.
Listing 1: Incremental synthesizer
1public void incremental_scheduler() {
2int head = 1;
3int tail = stepsize;
4context_t ctx = yices_new_context();
5model_t model;
6init_constraints(head, MAX_NUMBER_FRAMES);
7while (tail < MAX_NUMBER_FRAMES + 1) {
8assert_contraints(head, tail);
9if (yices_check_context(ctx) == STATUS_SAT) {
10 model = yices_get_model();
11 place(model, head, tail);
12 yices_push(ctx);
13 head = tail + 1;
14 tail = tail + stepsize;
15 }else {
16 if (tail - head > threshold) {
17 abort();
18 }
19 yices_pop(ctx);
20 head = head - stepsize;
21 }
22 }
23 }
The interval of frames that will be scheduled at each step
is defined by head and tail, with stepsize interval size.
Before executing the loop, the variables that will contain the
values of the offset in the logical context are defined with
the function init constraints(head ,max number frames).
For each interval of frames, the constraints are asserted into
the logical context with assert constraints(head,tail )and
checked executing the yices check context(ctx )function.
If the asserted constraints are satisfiable, the offset values
are retrieved from the model and placed as new constraints
with place(model,head,tail ). Last, the context is saved for
backtracking purposes using the yices push(ctx )function and
the indeces are updated. In case no satisfiable solution can
be found, yices pop(ctx )will backtrack the context, and the
head index is reduced in order to schedule the now unplaced
frames. If the algorithm has no more contexts to backtrack,
the synthesizer will abort and no schedule will be returned.
B. Simple Decomposition SMT-based Synthesis
The number of constraints needed to synthesize schedules
of time-triggered multihop networks is large, e.g. a network
with a snowflake topology with 50 dataflow links and 1,000
frames generates a total number of 6·106constraints that
the SMT solver has to compute at the logical context. The
incremental approach removes some of these constraints, but
it still lacks scalability when the number of constraints is in
the order of 107or more.
We have developed a simple decomposition synthesizer,
that without the implementation of application constraints,
solves the constraints in different logical contexts enabling a
much better scalability than the incremental approach. Hence,
we decompose the total number of frames in subsets that are
solved in a different logical context at a time. Application
constraints have been implemented in the next approach (Sec-
tion IV-C). Every subset is scheduled sequentially with the
previous discussed incremental approach. If the solver returns
a satisfiable flag for a given subset, the frame’s offsets are
stored into internal memory and the logical context of the
solver is reset to remove all the asserted constraints. The loop
is executed until all subsets are scheduled and the synthesizer
output is a schedule for all the frames of the network. In the
case the solver returns an unsatisfiable flag for one subset,
the synthesizer will stop and no schedule can be found. The
only case that can lead the synthesizer to stop without a
solution is when the schedule in construction has already a
larger hyper-period than the maximum provided in the input
parameters. The decomposition synthesizer algorithm can be
found in Listing 2.
Listing 2: Decomposition synthesizer
1public void decomposition_scheduler() {
2int head = 1;
3int tail = stepsize;
4int hyperhead = 1;
5int hypertail = hyperstepsize;
6int interval = 0;
7context_t ctx = yices_new_context();
8model_t model;
9while (hypertail < MAX_NUMBER_FRAMES + 1) {
10 init_constraints(hyperhead, hypertail);
11 while (tail < hypertail + 1){
12 assert_contraints(head, tail);
13 if (yices_check_context(ctx) == STATUS_SAT){
14 model = yices_get_model();
15 place(model, head, tail);
16 yices_push(ctx);
17 head = tail + 1;
18 tail = tail + stepsize;
19 }else {
20 if (tail - head > hyperstepsize) {
21 abort();
22 }
23 yices_pop(ctx);
24 head = head - STEPSIZE;
25 }
26 }
27 memory = save_model_into_memory(model);
28 maximum_offset = study_maximum_offset(memory);
29 hyperhead = hypertail + 1;
30 hypertail = hypertail + hyperstepsize;
31 head = hyperhead;
32 tail = head + stepsize - 1;
33 yices_reset_context(ctx);
34 }
35 }
The main difference between the simple decomposition
synthesizer and the incremental synthesizer is the
implementation of a new loop for every subset of frames. The
range of the subset is defined by hyperhead and hypertail
with hyperstepsize number of frames. The hyperstepsize
length is set to 100 frames, which is the larger number
of frames capable to schedule the incremental synthesizer
without presenting saturation, a more detailed study can be
found in Section V-B. Every subset of frames has its own
logical context and it is solved with the same approach
as the incremental scheduler, but with an adaptation. The
difference is the init constraints() function, which only
initialize the constraints of the subset of frames to be
scheduled. Once the incremental approach has finished, if a
valid schedule has been found, it is saved into memory with
the function memory =save model into memory(model)
on top of the previous scheduled subsets and a study
of the new maximum offset is performed with the
maximum offset =study maximum offset (memory )
function. Figure 2 shows an example where the new obtained
Fig. 2: Example of the save model into memory() and
study maximum offset () functions
schedule subset 3, is saved on top of the schedule subset 2
and the maximum offset of the schedule is updated to its new
value. In order to proceed to schedule the next subset, the
indeces are updated and the logical context is cleaned with the
function yices reset context(ctx ). In case no valid schedule
has been found for a subset, the abort() function will be
called and the synthesizer will stop without a schedule. If
all the subsets have been successfully scheduled, the stacked
schedules saved into memory represent the whole network
Such a simple decomposition is possible as there is no need
to define constraints between frames of different subsets. As
the application constraints are not implemented in the simple
decomposition approach, the only constraints with dependen-
cies are the avoid-collision constraints which, as mentioned
before, prevents two instances of different frames from being
transmitted at the same time through the same link. However,
as every subset of frames is placed in different time slots
intervals (Figure 2), there is no need to define such constraints
between frames belonging to different groups because they will
never be broken.
The decomposition approach presents two main drawbacks
compared with the incremental approach. One drawbacks
affects the “quality” or “compression” of the hyper-period;
scheduling frames on different subsets prevents the synthesizer
to continue searching into already scheduled subsets, which
could have free slots for more frames to be scheduled. This
property does not happen in the incremental approach, as
the synthesizer always looks into all the hyper-period space
to find free slots for new frames. The other drawback is in
regards of the possibility of implementing some new types of
constraints into the synthesizer. As it has been explained in the
previous paragraph, the simple decomposition approach can
be used because there are not dependent constraints between
different subsets of frames besides avoid-collision constraints.
However in the case there is a need to implement a new type of
constraint such as the application constraint (see Section III-B),
the simple decomposition synthesizer cannot remember the
constraint between different subsets, as they will be “forgotten”
after the context reset and the synthesizer will return schedules
that probably will break some application constraints.
C. Dependency Sequencing in the Decomposition SMT-based
Dependencies between subsets of frames are forgotten after
resetting the context, however, to “remember” them alone
is not the solution, as there is no backtracking mechanism
between subsets of frames like in the incremental synthesizer
for the intervals. It could be possible to assert these constraints
between different subsets into all the logical contexts and to
implement a similar backtracking approach as the incremental
synthesizer on the decomposition synthesizer, backtracking
full subsets of frames. However the main drawback of the
backtracking is the increment of frames per subset to be
scheduled every time a break in a constraint is found. In the
worst case, backtracking will lead to a subset of all networks
frame, which it is impossible to solve in a reasonable amount
of time.
The assignment of the frame offsets is strongly dependent
on the scheduling frames sequence and it is the cause that
some constraints are broken for already scheduled subsets
of frames [9]. Building a controlled sequence of frames to
be scheduled can avoid these situations, as no constraints
will be broken in consequence of previous scheduled frames
that had to be scheduled after the actual ones. We propose
to implement a dependency tree that will contain all the
dependencies between frames of the network which will make
us able to know which frames have to be scheduled at every
subset of frames in order to avoid the need of a backtracking
approach between subsets. The controlled sequencing does not
only affect the dependencies of frames on different subsets, it
also can group frames whose dependency constraints are tight
and can be solved in the same context. The code added to the
decomposition approach to implement the dependency tree is
shown in the Listings 3.
Listing 3: Dependency ordering in the Decomposition synthe-
2model_t model;
3int order_frames[hyperstepsize];
4tree dependency_tree = create_tree();
5while (hypertail < MAX_NUMBER_FRAMES + 1) {
7order_frames =
8init_constraints(hyperhead, hypertail);
10 while (tail < hypertail + 1){
11 .
Before starting to execute the principal loop, the
dependency tree is created with the information of all the
dependencies between frames, create tree(). Inside the loop,
for every iteration, update tree(dependencty tree)remove
the already scheduled frames on the previous iteration of the
loop and updates the dependency time slots of the remaining
frames dependencies. For example, in Figure 3, the top three
trees are created by the create tree() function and represents
the dependencies of the network, in which the numbers inside
the nodes are the numbers of the frames, and the numbers
on the links are the minimum time slots that the successor
nodes has to wait to be sent. In Figure 3, an example of the
update tree(dependency tree)function is presented. The
three bottom trees represent the result of their update after
the first execution of the main loop. In the first step, frame
Fig. 3: Example of the update tree(dependencty tree,model)
function for application constraints dependency tree
f1is marked as xbecause it was chosen to be scheduled on
the previous subset of frames. In the second step, the links
to the successors of f1are updated in regards to the offset
value of the now scheduled f1and the maximum offset.
If the offset value f1= 45 and maximum offset =100 ,
55 time slots will be deducted on the successors links to
f15 and f3. In this way, when a dependency time unit on
the tree is smaller than 1 or has no predecessor, the frame
can be chosen to be scheduled in the next subset with the
order frame =add frames to schedule(dependency tree)
function as there is no possibility to break the dependency
constraint. For example, if we wrongly try to schedule f3on
the next principal loop iteration subset, there is a possibility
that its offsets value will be f3= 101. The top tree in Figure
3 shows that the minimum time slot has to be 57 more than
f1, but its offset is only 56 more resulting in a invalid global
schedule. The general case of update tree(dependency tree)
is divided on two steps: first, it removes the already scheduled
frames and second, it updates the link numbers of successors
of already scheduled frames.
Other dependencies constraints are tight between
two frames and can be solved in the same subset
of frames with the incremental approach, the
add intra dependent(dependency tree)function asserts the
constraints to the logical context to be taken into account.
Note that dependencies of frames between different subsets
are not defined on the logical context, as with the controlled
sequencing of the frames we assure that such definition is not
A. Test Case Description
In order to evaluate the performance of the decomposition
synthesizer with dependency sequencing, we have defined syn-
thetic test cases networks. We have evaluated the synthesizer in
four different networks with two different topologies: tree and
snowflake, both with a medium and a large size version. The
number of nodes, switches and links are presented in Table I.
M. Tree L. Tree M. Snowflake L. Snowflake
End Systems 16 64 27 243
Switches 15 63 13 121
Links 30 126 39 363
TABLE I: Number of end systems, switches and links of the
test cases networks
The network frames contain one sender and multiple re-
ceivers. Different configurations of receivers can be configured,
but in our case we defined all the frames as broadcast, meaning
that for a given end system sender, the receivers will be all the
remaining end systems of the network. We chose broadcast
frames as they are the hardest to schedule as they produce
the largest number of constraints. Frames have dependencies
with other frames in terns of application constraints that will
prevent a frame to be sent before a certain time slots of its
predecessor. Application constrains are modeled as a tree, in
which a frame can have up to five successor frames, but all
frames will not have more than one predecessor. The number
of frames with application constraints will vary in our test
cases on the range of [0% 50%] of the total frames of the
network. In all test cases, 20% of the application constraints
will be tight, and 80% will be loose. An application constraint
will be considered as tight if the successor minimum time slot
is smaller than 50 time slots, and loose if is larger.
As for the configuration parameters, we implemented the
decomposition synthesizer with Yices 2.3 [27] applying the
Linear Integer Arithmetic Background Theory [28]. The num-
ber of frames to be checked at each interval step in the
incremental approach is set at stepsize =9and the number
of frames per subset at hyperstepsize =100 . The experiments
were run in a MacBook Pro in OS X Yosemite with a 2,6 Ghz
Intel Core i7 and 16 GB of RAM.
B. Simple Decomposition SMT-based Synthesis Results
Results of the decomposition synthesizer scheduling for
different networks with a number of frames between 1,000
and 100,000 without application constraints can be seen in
Figure 4. Note that while the difference in synthesis time
between the medium and large snowflake topology networks
is small, this is not the case for the medium and large tree
topology networks. The increase of the number of end systems
and switches in the network does not directly increase the
complexity of synthesizing its schedule, as it happens in the
snowflake networks. The increase of complexity is due to
longer paths to send one frame from the sender to its receivers,
which increases the number of constraints to define a frame.
This is the reason the large tree network duplicate the needed
time to synthesize its schedule as its paths increase much more
for larger networks compared with the snowflake topology.
The number of frames in every subset to be scheduled
affects the synthesis time needed as the smaller the exponential
problems are, the faster that will be solved. For example in
Figure 5 for the medium snowflake network in which we
change the hyperstepsize value. But there is a drawback
in reducing the synthesis time decomposing the schedule in
smaller subset of frames; the quality of the schedule is lowered
Fig. 4: Synthesis time in seconds of the decomposition ap-
Fig. 5: Synthesis time in seconds of the decomposition ap-
proach for different number of frames per subset
as it increases the total time slots needed for the hyper-
period as Figure 6 shows. The reason that the hyper-period is
increased when the subset of frames is smaller is because every
scheduled subset is locked for other frames to be scheduled
inside. This prohibits the synthesizer to try to fit more frames
into the interval, which has a higher possibility to have free
time units for other frames to be scheduled into.
C. Dependency Ordering Decomposition SMT-based Synthesis
The modification of the decomposition approach to insert
a dependency ordering allows us to synthesize schedules with
Fig. 6: Minimum hyper-period size in time slots in regards to
the number of frames per subset
0% to 50% frames with application constraints, in which 20%
of them are tight and the rest are loose. Results for the size
snowflake network can be seen in Figure 7. The synthesis time
decrease compared the incremental synthesizer is about three
orders of magnitude, as it takes 1300 seconds to synthesize the
schedule of the medium snowflake network with 1,000 frames
and 10% frames with application constraints, meanwhile the
decomposition synthesizer only takes 19 seconds. The im-
provement of the performance on the new synthesizer allows us
to increase the number of frames to be scheduled, as with the
same amount of time we can synthesize schedules of networks
up to 50,000 frames. Such improvement is accomplished by
linearizing the complexity of an exponential problem with
the decomposition of a huge exponential problem in a linear
series of small exponential problems, allowing us to synthesize
schedules up to 100,000 frames in an hour. In regards to
the memory consumption of the decomposition synthesizer,
the memory needed is always up to 250 MB independently
of the number of frames to be scheduled or the size of the
network. This is also an improvement against the incremental
synthesizer as the memory consumption was highly related to
the number of frames, having a memory consumption up to
4.6 GB to synthesize the schedule of a 1,000 frames network.
The synthesis time for networks without application con-
straints and the simple decomposition approach (Figure 4) is
the same, as the new approach only adds a negligible over-
head managing the dependency tree. Networks with different
number of application constraints have similar synthesis time
as no more constraints are added on the logical context for the
loose constraints. Differences are due to tight constraints that
are not ordered inside the subset of frames, which are solved
with the incremental approach, and are highly dependent of
their assertion sequence into the logical context. This can be
seen in the 100,000 frames network, when the number of
tight application constraints is larger it is more likely that the
synthesizer performs backtracking on the schedule of a subset
Fig. 7: Synthesis time in seconds of the dependency ordering
decomposition approach with application constraints in M.
of frames to find a valid schedule.
Networks with longer paths are more prone to break some
constraints and consequently the synthesizer has to perform
backtracking more frequently than in smaller path networks.
Figure 8 shows the synthesis time for the large snowflake
network in which more variation are found for networks with
more than 25,000 frames. Performing backtracking can greatly
increase the synthesis time. For example, the synthesis time for
the 10,000 frames network and 30% application constraints
is 40% larger than other networks with the same number
of frames. In Figure 7, synthesis time for the 1,000 frames
network and 40% application constraints is 6 times larger than
other same frames networks.
In this paper we have presented a decomposition approach
to synthesize schedules of the ever-growing time-triggered
multihop networks. We decompose the network frames in
different subsets and synthesize independent schedules with a
state-of-the-art SMT solver. We have also presented a depen-
dency sequencing of the frames to be scheduled to integrate
loose application constraints on the decomposition approach
with negligible overhead and tight application constraints.
We performed an evaluation of the decomposition ap-
proach for different network topologies and sizes that shows
an improvement of the synthesis time with three orders of
magnitude compared to state-of-the-art approaches, allowing
us to synthesize schedules with 50 times more frames in the
same amount of time and up to 100,000 frames in one hour.
Implementing dependency sequencing provides the possibility
to synthesize schedules with up to 50% frames with application
constraints. Negligible overhead is added in the synthesis
time for the loose constraints. However, an appreciable and
unpredictable overhead is caused by the tight constraints that
becomes larger when the paths in the network grow.
Fig. 8: Synthesis time in seconds of the dependency ordering
decomposition approach with application constraints in L.
In the evaluation we showed that the hyper-periods could
grow to a large number of time slots, which could cause some
frames to miss their deadlines, as they have to wait for the
execution on the next hyper-period. For future work, we will
study scheduling of more than one instance of frames on the
same hyper-period for frames with deadlines smaller than the
execution of one hyper-period.
The research leading to these results has received funding
from the People Programme (Marie Curie Actions) of the
European Union’s Seventh Framework Programme FP7/2007-
2013/ under REA grant agreement n607727 and from the
Swedish Knowledge Foundation (KKS), under project n
[1] H. Kopetz and G. Bauer, “The Time-Triggered Architecture,” Proceed-
ings of the IEEE, vol. 91, no. 1, pp. 112–126, 2003.
[2] M. R. Garey and D. S. Johnson, “Computers and Intractability: a Guide
to the Theory of NP-completeness. 1979,” San Francisco, LA: Freeman,
[3] J.-P. Watson and J. C. Beck, “A Hybrid Constraint Programming/Local
Search Approach to the Job-Shop Scheduling Problem,” in Integration
of AI and OR Techniques in Constraint Programming for Combinatorial
Optimization Problems. Springer, 2008, pp. 263–277.
[4] C. Fang and L. Wang, “An Effective Shuffled Frog-Leaping Algorithm
for Resource-Constrained Project Scheduling Problem,” Computers &
Operations Research, vol. 39, no. 5, pp. 890–901, 2012.
[5] A. Ling, D. P. Singh, and S. D. Brown, “FPGA Logic Synthesis
using Quantified Boolean Satisfiability,” in Theory and Applications
of Satisfiability Testing. Springer, 2005, pp. 444–450.
[6] L. De Moura and N. Bjørner, “Satisfiability Modulo Theories: Intro-
duction and Applications,” Communications of the ACM, vol. 54, no. 9,
pp. 69–77, 2011.
[7] B. Dutertre and L. De Moura, “The Yices SMT Solver,” Tool paper at
http://yices. csl. sri. com/tool-paper. pdf, vol. 2, p. 2, 2006.
[8] L. De Moura and N. Bjørner, “Z3: An efficient SMT Solver,” in Tools
and Algorithms for the Construction and Analysis of Systems. Springer,
2008, pp. 337–340.
[9] W. Steiner, “An Evaluation of SMT-based Schedule Synthesis for Time-
Triggered Multi-Hop Networks,” in Real-Time Systems Symposium
(RTSS), 2010 IEEE 31st. IEEE, 2010, pp. 375–384.
[10] “TTEthernet Specification,” TTTech Computertechnik AG, Nov, 2008.
[11] L. Cordeiro, B. Fischer, and J. Marques-Silva, “SMT-based Bounded
Model Checking for Embedded ansi-c Software,” Software Engineering,
IEEE Transactions on, vol. 38, no. 4, pp. 957–974, 2012.
[12] G. Li and G. Gopalakrishnan, “Scalable SMT-based Verification of GPU
Kernel Functions,” in Proceedings of the eighteenth ACM SIGSOFT in-
ternational symposium on Foundations of software engineering. ACM,
2010, pp. 187–196.
[13] J. Peleska, E. Vorobev, and F. Lapschies, “Automated Test Case
Generation with SMT-solving and Abstract Interpretation,” in NASA
Formal Methods. Springer, 2011, pp. 298–312.
[14] S. Gulwani, S. Jha, A. Tiwari, and R. Venkatesan, “Synthesis of Loop-
Free Programs,” in ACM SIGPLAN Notices, vol. 46, no. 6. ACM,
2011, pp. 62–73.
[15] S. S. Craciunas and R. S. Oliver, “SMT-based Task-and Network-level
Static Schedule Generation for Time-Triggered Networked Systems,”
in Proceedings of the 22nd International Conference on Real-Time
Networks and Systems. ACM, 2014, p. 45.
[16] J. Huang, J. O. Blech, A. Raabe, C. Buckl, and A. Knoll, “Static
Scheduling of a Time-Triggered Network-on-Chip based on SMT
Solving,” in Proceedings of the Conference on Design, Automation and
Test in Europe. EDA Consortium, 2012, pp. 509–514.
[17] Z. Hanz´
alek, P. Burget, and P. Sucha, “Profinet IO IRT Message
Scheduling,” in Real-Time Systems, 2009. ECRTS’09. 21st Euromicro
Conference on. IEEE, 2009, pp. 57–65.
[18] A. Metzner, M. Franzle, C. Herde, and I. Stierand, “Scheduling Dis-
tributed Real-Time Systems by Satisfiability Checking,” in Embedded
and Real-Time Computing Systems and Applications, 2005. Proceed-
ings. 11th IEEE International Conference on. IEEE, 2005, pp. 409–
[19] L. Zhang, D. Goswami, R. Schneider, and S. Chakraborty, “Task-
and Network-Level Schedule Co-synthesis of Ethernet-based Time-
Triggered Systems.” in ASP-DAC, 2014, pp. 119–124.
[20] D. Tamas-Selicean, S. Marinescu, and P. Pop, “Analysis and Opti-
mization of Mixed-Criticality Applications on Partitioned Distributed
Architectures,” 2012.
[21] Y. Shin and K. Choi, “Software Synthesis through Task Decomposition
by Dependency Analysis,” in Computer-Aided Design, 1996. ICCAD-
96. Digest of Technical Papers., 1996 IEEE/ACM International Confer-
ence on. IEEE, 1996, pp. 98–102.
[22] I. Harjunkoski and I. E. Grossmann, “A Decomposition Approach for
the Scheduling of a Steel Plant Production,” Computers & Chemical
Engineering, vol. 25, no. 11, pp. 1647–1660, 2001.
[23] S. Choi and K. Wang, “Flexible Flow Shop Scheduling with Stochastic
Processing Times: A Decomposition-based Approach,” Computers &
Industrial Engineering, vol. 63, no. 2, pp. 362–373, 2012.
[24] ARINC specification 664P7, Aircraft Data Network, Part 7, Avionics
Full Duplex Switched Ethernet (AFDX) Network, Aeronautical Radio
Inc., 2005.
[25] T. P. Baker and A. Shaw, “The Cyclic Executive Model and Ada,
Real-Time Systems, vol. 1, no. 1, pp. 7–25, 1989.
[26] A. K. Mok and W. Wang, “Window-Constrained Real-Time Periodic
Task Scheduling,” in Real-Time Systems Symposium, 2001.(RTSS 2001).
Proceedings. 22nd IEEE. IEEE, 2001, pp. 15–24.
[27] B. Dutertre, “Yices 2.2,” in Computer Aided Verification. Springer,
2014, pp. 737–744.
[28] S. Ranise and C. Tinelli, “Satisfiability Modulo Theories,” Trends and
Controversies-IEEE Intelligent Systems Magazine, vol. 21, no. 6, pp.
71–81, 2006.
... A flow injection time scheduling algorithm (FITS) for the CQF model is designed through flow sorting and filtering in [20], [21], which incrementally generates scheduling schemes for time-sensitive flows by adjusting the network injection time. The research [22] developed the grouping scheduling method which divides flows into multiple independent subsets and schedules separately based on SMT. Then, an iterative scheduling algorithm with random stream partitioning (RSP) is addressed in [23], which improves the scalability of scheduling. ...
... Obviously, there exists (z (2) − β 2 )/ gcd(ρ 1 , ρ 2 ) such that (22) holds. Thus, we find z (2) and Proposition 2 is proved. ...
Full-text available
As an emerging communication technology, Time-Sensitive Networking (TSN) promises real-time and deterministic interactions of massive data in Industrial Internet of Things. However, it is challenging to schedule time-sensitive flows timely and superiorly through mechanism analysis for TSN scheduling models. This paper proposes an analysis approach of flow sequences based on divisibility theory to characterize flow conflicts and dependencies, which derives the scheduling flexibility based on flow position diversity (PD) and the equivalent flow judgment conditions for slot occupancy. Integrating the above derivation, a parallel computing framework with generalized slot lengths is established to lower the scheduling complexity. Within each computing unit, an efficient slot allocation algorithm is proposed to reduce the scheduling complexity while maintaining load balance for mixed transmission of periodic and aperiodic flows. For the optimality of runtime and load-balance, two PD-based flow sorting strategies are designed. Simulation results demonstrate the effectiveness and advantages of above algorithms.
... The sequencing policy contributes to 91% more average schedulability than the Random baseline, while the routing policy further improves it by 7.3%. The sequencing policy has a greater impact than the routing policy in line with previous work's observation [4], [17], [40]. Without it, DeepScheduler has only marginal schedulability improvement compared to the Random baseline. ...
Conference Paper
Full-text available
Time-Sensitive Networking (TSN) has been considered the most promising network paradigm for time-critical applications (e.g., industrial control) and traffic scheduling is the core of TSN to ensure low latency and determinism. With the demand for flexible production increases, industrial network topologies and settings change frequently due to pipeline switches. As a result, there is a pressing need for a more efficient TSN scheduling algorithm. In this paper, we propose DeepScheduler, a fast and scalable flow-aware TSN scheduler based on deep reinforcement learning. In contrast to prior work that heavily relies on expert knowledge or problem-specific assumptions, DeepScheduler automatically learns effective scheduling policies from the complex dependency among data flows. We design a scalable neural network architecture that can process arbitrary network topologies with informative representations of the problem, and decompose the problem decision space for efficient model training. In addition, we develop a suite of TSN-compatible testbeds with hardware-software co-design and DeepScheduler integration. Extensive experiments on both simulation and physical testbeds show that DeepScheduler runs >150/5 times faster and improves the schedulability by 36%/39% compared to state- of-the-art heuristic/expert-based methods. With both efficiency and effectiveness, DeepScheduler makes scheduling no longer an obstacle towards flexible manufacturing.
... Several methods have been proposed to solve TSN network flow scheduling. The more popular ones are [10]- [12] based on integer linear programming (ILP) and based on satisfiability theory (SMT) [13]- [15], or some custom heuristic methods [16], the general approach is to transform the scheduling problem into a multi-constraint problem with an objective function, and then input the objective function and constraints into the corresponding solver. Whether the solver can generate a solution can be used to judge whether the model is feasible, because if the model is not feasible, the solver cannot generate a solution. ...
The rise of Industry Internet of Things has promoted the rapid development of industrial Ethernet networks. IEEE Time-Sensitive Networking (TSN) Task Group has developed a set of standards to guarantee real-time and deterministic communication for time-critical industrial applications. Recently, the combination of TSN and software-defined network (i.e., TSSDN) attracted much attention from academia and industry. It ensures deterministic transmission for time-sensitive applications while improving the flexibility of TSN. In TSSDN, traffic scheduling scheme is crucial to meet bounded low latency communication. However, current traffic scheduling methods largely rely on the single constraint condition, which is challenging to handle the complex real factory network scenario. In this paper, we propose two scheduling mechanisms for different industrial scenarios to address the above challenge. We proposed a strict constraint mechanism to address the intra-level traffic scheduling problem, while a relaxed constraint mechanism is proposed for scheduling inter-level traffic. The results show that the proposed scheduling mechanism is 12.6%-25.32% more scheduling success rate than the single scheduling scheme, and the queue utilization rate is reduced by 17.9%.
... Although usage of SMT solvers show the practical efficiency, when using it for either synthesis or verification one has to use it with care i.e have to consider the decomposition of the expressed specifications and the entire system. There are some works on these aspects i.e using SMT solvers with decomposition [Poz+15] and divide and conquer [McC18] method in synthesis of network events. Now we move on to describe the particular reactive synthesis tool we are using for the experimentation of various SDN-IoT functionalities. ...
Towards the automation of Software-Defined Network (SDN) based Internet of Things (IoT) platforms, we are using formal analysis and synthesis techniques to ensure their safe behaviors. SDN a flexible and low cost networking principle which provides dynamic distributed system applications, IoT is one such kind. There is a strong need for consistent and correct integration of IoT applications in SDN environment. Using formal compositional verification methods for analyzing the safety of an SDN-IoT environment, we provide a detailed synthesis framework to model the abstract behaviour of IoT devices, SDN manager and automatically generate low level implementation code to be integrated with IoT applications.
Conference Paper
Full-text available
Flexible manufacturing is one of the core goals of Industry 4.0 and brings new challenges to current industrial control systems. Our detailed field study on auto glass industry revealed that existing production lines are laborious to reconfigure, difficult to upscale, and costly to upgrade during production switching. Such inflexibility arises from the tight coupling of devices, controllers, and control tasks. In this work, we propose a new architecture for industrial control systems named Control-as-a-Service (CaaS). CaaS transfers and distributes control tasks from dedicated controllers into Time-Sensitive Networking (TSN) switches. By combining control and transmission functions in switches, CaaS virtualizes the industrial TSN network to one Programmable Logic Controller (PLC). We propose a set of techniques that realize end-to-end determinism for in-network industrial control and a joint task and traffic scheduling algorithm. We evaluate the performance of CaaS on testbeds based on real-world networked control systems. The results show that the idea of CaaS is feasible and effective, and CaaS achieves absolute packet delivery, 42-45% lower latency, and three orders of magnitude lower jitter. We believe CaaS is a meaningful step towards the distribution, virtualization, and servitization of industrial control.
At present, the development of optical transport and access network has entered the fifth-generation fixed network (F5G) era. Services carried by optical transport network of F5G have stringent requirements for network performance. Optical transport networks can provide services with deterministic bandwidth and delay after lightpaths are established. The time to establish a lightpath may determine whether the service can be successfully transmitted. Lightpath establishment delay includes signaling delay and device configuration delay. Signaling delay is not deterministic as signaling is implemented based on non-deterministic packet switching in data communication network (DCN). Thus, realizing the deterministic signaling is a key research problem. Deterministic signaling means to complete signaling transmission at a given time, which can be divided into hard real-time signaling and soft real-time signaling. In this paper, we propose a latency-aware scheduling scheme for deterministic signaling in F5G. Simulative results show that i) for hard real-time signaling scheduling, the proposed latency-aware scheduling ( LAS ) scheme reduces scheduling failure rate by 11.25%, improves resource utilization rate by 3.56%; ii) for hard real-time signaling and soft real-time signaling scheduling, the proposed scheme reduces scheduling failure rate by 6.57%, improves resource utilization rate by 3.34% and reduces end-to-end latency by 1.01s.
Conference Paper
Full-text available
Time-Sensitive Networking (TSN) is the most promising network technology for Industry 4.0. A series of IEEE standards on TSN introduce deterministic transmission into standard Ethernet. Under the current paradigm, TSN can only schedule the deterministic transmission of time-triggered critical traffic (TCT), neglecting the other type of traffic in industrial cyber physical systems, i.e., event-triggered critical traffic (ECT). So in this work, we propose a new paradigm for TSN scheduling named E-TSN, which can provide deterministic transmission for both TCT and ECT. The three techniques of E-TSN, i.e., probabilistic stream, prioritized slot sharing, and prudent reservation, enable the deterministic transmission of ECT in TSN, and at the same time, protect TCT from the impacts of ECT. We also develop and make public a TSN evaluation toolkit to fill the gap in TSN study between algorithm design and experimental validation. The experiments show that E-TSN can reduce the latency and jitter of ECT by at least an order of magnitude compared to state-of-the-art methods. By enabling reliable and timely delivery of ECT in TSN for the first time, E-TSN can broaden the application scope of TSN in industry.
Conference Paper
Full-text available
In Ethernet-based time-triggered networks, like TTEthernet, a global communication scheme, for which the schedule synthesis is known to be an NP-complete problem, establishes contention-free windows for the exchange of messages with guaranteed low latency and minimal jitter. However, in order to achieve end-to-end determinism at the application level, software tasks running on the end-system nodes need to obey a similar execution scheme with tight dependencies towards the network domain. In this paper we address the simultaneous co-synthesis of network as well as application schedules for preemptive time-triggered tasks communicating in a switched multi-speed time-triggered network. We use Satis�fiability Modulo Theories (SMT) to formulate the scheduling constraints and solve the resulting problem using a state-of-the-art SMT solver. Furthermore, we introduce a novel incremental scheduling approach, based on the demand bound test for synchronous constrained-deadline periodic tasks, which signi�cantly improves scalability for the average case without sacrifi�cing schedulability. We demonstrate the performance of our approach using synthetic network topologies and system con�figurations.
Full-text available
Periodic processes are major parts of many real-time embedded computer applications. The programming language Ada permits programming simple periodic processes, but it has some serious limitations; producing Ada programs with real-time performance comparable to those produced to date using traditional cyclic executives requires resorting to techniques that are specific to one machine or compiler. We present and evaluate the cyclic executive model for controlling periodic processes. The features and limitations of Ada for programming cyclic executive software are discussed and demonstrated, and some practical techniques for circumventing Ada limitations are described.
We consider the problem of synthesizing loop-free programs that implement a desired functionality using components from a given library. Specifications of the desired functionality and the library components are provided as logical relations between their respective input and output variables. The library components can be used at most once, and hence the library is required to contain a reasonable overapproximation of the multiset of the components required. We solve the above component-based synthesis problem using a constraint-based approach that involves first generating a synthesis constraint, and then solving the constraint. The synthesis constraint is a first-order ∃∀ logic formula whose size is quadratic in the number of components. We present a novel algorithm for solving such constraints. Our algorithm is based on counterexample guided iterative synthesis paradigm and uses off-the-shelf SMT solvers. We present experimental results that show that our tool Brahma can efficiently synthesize highly nontrivial 10-20 line loop-free bitvector programs. These programs represent a state space of approximately 20¹⁰ programs, and are beyond the reach of the other tools based on sketching and superoptimization.
Conference Paper
Yices is an SMT solver developed by SRI International. The first version of Yices was released in 2006 and has been continuously updated since then. In 2007, we started a complete re-implementation of the solver to improve performance and increase modularity and flexibility. We describe the latest release of Yices, namely, Yices 2.2. We present the tool’s architecture and discuss the algorithms it implements, and we describe recent developments such as support for the SMT-LIB 2.0 notation and various performance improvements.
In this paper, we study time-triggered distributed systems where periodic application tasks are mapped onto different end stations (processing units) communicating over a switched Ethernet network. We address the problem of application level (i.e., both task- and network-level) schedule synthesis and optimization. In this context, most of the recent works [10], [11] either focus on communication schedule or consider a simplified task model. In this work, we formulate the co-synthesis problem of task and communication schedules as a Mixed Integer Programming (MIP) model taking into account a number of Ethernet-specific timing parameters such as interframe gap, precision and synchronization error. Our formulation is able to handle one or multiple timing objectives such as application response time, end-to-end delay and their combinations. We show the applicability of our formulation considering an industrial size case study using a number of different sets of objectives. Further, we show that our formulation scales to systems with reasonably large size.
Conference Paper
In this paper we are interested in mixed-criticality applications implemented using distributed heterogenous architectures, composed of processing elements (PEs) interconnected using the TTEthernet protocol. At the PE-level, we use partitioning, such that each application is allowed to run only within predefined time slots, allocated on each processor. At the communication-level, TTEthernet uses the concepts of virtual links for the separation of mixed-criticality messages. TTEthernet integrates three types of traffic: Time-Triggered (TT) messages, transmitted based on schedule tables, Rate Constrained (RC) messages, transmitted if there are no TT messages, and Best Effort (BE) messages. We assume that applications are scheduled using Static Cyclic Scheduling (SCS) or Fixed-Priority Preemptive Scheduling (FPS). We are interested in analysis and optimization methods and tools, which decide the mapping of tasks to PEs, the sequence and length of the time partitions on each PE and the schedule tables of the SCS tasks and TT messages, such that the applications are schedulable and the response times of FPS tasks and RC messages is minimized. We have proposed a Tabu Search-based meta-heuristic to solve this optimization problem, which has been evaluated using several benchmarks.
Time-Triggered Network-on-Chip (TTNoC) is a networking concept aiming at providing both predictable and high-throughput communication for modern multiprocessor systems. The message scheduling is one of the major design challenges in TTNoC-based systems. The designers not only need to allocate time slots but also have to assign communication routes for all messages. This paper tackles the TTNoC scheduling problem and presents an approach based on Satisfiability Modulo Theories (SMT) solving. We first formulate the complete problem as an SMT instance, which can always compute a feasible solution if exists. Thereafter, we propose an incremental approach that integrates SMT solving into classical heuristic algorithms. The experimental results show that the heuristic scales significantly better with only minor loss of performance.
SMT stands for Satisfiability Modulo Theories. An SMT solver decides the satisfiability of propositionally complex formulas in theories such as arithmetic and uninterpreted functions with equality. SMT solving has numerous applications in auto-mated theorem proving, in hardware and software verification, and in scheduling and planning problems. This paper describes Yices, an efficient SMT solver developed at SRI International. Yices supports a rich combination of first-order theories that occur frequently in soft-ware and hardware modeling: arithmetic, uninterpreted functions, bit vectors, arrays, recursive datatypes, and more. Beyond pure SMT solving, Yices can solve weighted MAX-SMT problems, compute unsatisfiable cores, and construct models. Yices is the main decision procedure used by the SAL model checking environment, and it is be-ing integrated to the PVS theorem prover. As a MAX-SMT solver, Yices is the main component of the probabilistic consistency engine used in SRI's CALO system.