Nice overview. Windows 1-3 used "non-premptive" or "cooperative" scheduling, which is why any process could hang the system. That method does have its uses though. I once wrote a micro kernel for MSP430 that did it that way too. As long as you can guarantee that a task will complete within a specified time, it's a good lightweight solution.
There's an intermediate point between pre-emptive and cooperative that I've found useful. For the lack of a better name let's call it "you-better-cooperate".
Suppose a real-time system using cooperative scheduling where well-behaved tasks yield within a guaranteed time window. Suppose also a system that has the ability to launch and restart processes for example in the case of error. In such a system, a poorly-behaved process can hang the system because it doesn't yield.
Introducing pre-emption to such a system avoids the potential hangs, but (a) adds the complexity of pre-emption; (b) only gets exercised in the case that you're already in a failure state (process failed to yield); and (c) allows processes in a known failure state to continue.
Instead, when a process is scheduled, set a timer interrupt for a time period after its guaranteed yield. When the process yields, cancel that timer (or re-schedule it for the next process). If the timer fires, just kill and restart the non-yielding process.
In a limited set of cases, this is a simpler, more robust, and equally powerful system compared to both full pre-emption and cooperation.
If i'm understanding this correctly, then the difference between pre-emptive scheduling and the intermediate you described would be that in the pre-emptive scheduling case, a poorly-behaved process would be forced to give up the CPU and then be scheduled to run again at some point in the future (in a failure state) whereas, in the intermediate solution, a poorly-behaved process would be killed and restarted.
Is that correct? If so, wouldn't this make matters worse if the poorly-behaved process is guaranteed to hang? Is killing a process and restarting it worse or better than context-switching repeatedly?
Killing a process and restarting it is /often/ better than context switching repeatedly, but not always. Pro: It puts the process into a known state. Con: It removes the opportunity for slow forward progress. In the case where the process has been designed to have fixed latency, then slow forward progress is roughly as scary as memory corruption -- something is horribly wrong and you don't know if you're observing a minor symptom of a major problem.
Balancing the pro/con there can be interesting, but the system level pro puts a pretty heavy thumb on the scales. In the intermediate approach, because there's no real pre-emption a whole class of race conditions can't exist. This can be pretty big for ease of system analysis.
Linux real time scheduling (SCHED_FIFO and SCHED_RR) use a variation on this that approaches it from the other side.
Tasks in those two scheduling tasks will basically never be preempted by a lower priority task nor a task in any other scheduling class. However the system has an overall percentage limit on how much of the cpu tasks in these classes may consume. If they consume more than this limit, they will be preempted and non-RT tasks will run "for a while" before heading back to RT tasks.
A real time operating system can, by definition, not be cooperative. Definitely not a hard one and a soft one most likely not either, simply because it can not guarantee that it will process the interrupt quickly enough to be qualified as RTOS.
A real time system can be cooperative. A real time operating system can use pre-emption to achieve bounded latency. A real time system that does not use pre-emption can use other mechanisms -- including a combination of analytical bounding of task run-times and static cooperative scheduling -- to achieve bounded latency. The latter system can be enhanced by enforcing the analytical bounds, making it somewhat robust to errors in analysis. One can argue that this enforcement makes the system non-cooperative, it's certainly not full pre-emption with all the costs and benefits that go with.
As an example of such a system, consider a bare metal BLDC motor driver. You may statically schedule a sequence of tasks -- read current sensors, read commands, adjust PWM hardware registers, read temperature sensors, change state on temperature error, loop. Suppose that the 'read temperature sensors' task can fail to meet its analytic time budget because the I2C hardware can get into a weird state and just not return. (Suppose further that this isn't hypothetical...) Then having a kill-and-reset-on-timeout feature for the temperature sensor task is an obvious and reasonable workaround to give an improved system. That feature can be added to the temperature sensor task; or, it can be added as a general feature to the round robin scheduler in the way I described.
Hope that's a helpful description of what I was trying to explain! I'm not in any way saying this is a general solution or a universal replacement for a real RTOS; rather that it's a pattern I've ended up re-deriving a time or two that I find interesting.
Heh. I2C was part of what I was doing on the aforementioned MSP430 OS. I ended up breaking up all the I2C stuff into parts of a state machine (I think I ended up with six states), and ran it in the background as the lowest priority main loop.
The MSP430 RTOS I wrote was real-time and cooperative, with the caveat that it was application specific, and no task would ever take more than one millisecond to complete. I was careful to design all the tasks so they would never exceed the maximum run-time. For the tasks that needed more time, I broke them into several sub-tasks.
You said; "When you set a timer, which stops the running task to switch "to somewhere else", then it's not cooperative." You are correct. The OS does not require the cooperation of the task in order to suspend it and start/resume a different task. A non-cooperative OS does not require the task to either make a system call (such as waiting on I/O) or to finish. It will preempt the running task according to the scheduler rules. Typically a scheduler will receive periodic interrupts so that it can assess which task should be made active. On real-time systems without much processing headroom, the context switching between tasks can take up a significant percentage of CPU time, which is why I went with cooperative multitasking on the (25MHz) MSP430 micro-controller.
It's very useful as a tool, though I think the ideal is a mix of both. You can do cooperative for the happy path and have an interrupt if something goes wrong with a thread not yielding. The main disadvantage is that single threaded plus fully cooperative makes avoiding races a lot easier.
I remember when the Linux kernel's preemptible patches were introduced. It already had preemptible userspace, but the kernel wasn't, leading to lots of latency issues. Once they hacked up SMP support to add preempting, things were so much smoother
Classic MacOS did the same thing. Basically, all GUI processes call GetNextEvent() at the head of the event loop. In 1985 Andy Hertzfeld wrote Switcher which used the GetNextEvent() entry point to pause an app and allow another app to run until the next call. Hertzfeld got the idea from the DOS utility Memory Shift.
This is how RTOSs work on microcontrollers that don't have a supervisor mode. A hardware timer interrupts each process and the interrupt handler switches which process is active. However, there's nothing stopping one process from disabling interrupts for some critical activity (like bit-banging some serial output) and then forgetting to re-enable them.
I had a scanner that became much more stable running on a Mac OS 9 machine than a Windows machine simply because the scanning software could "hang" the mac and monopolize the SCSI port with exact timing.
