Formal Methods and Systems David Cock, ETH Zrich 18/01/16 - - PowerPoint PPT Presentation

formal methods and systems
SMART_READER_LITE
LIVE PREVIEW

Formal Methods and Systems David Cock, ETH Zrich 18/01/16 - - PowerPoint PPT Presentation

Aug 20, 2022 178 likes •361 views

Formal Methods and Systems David Cock, ETH Zrich 18/01/16 Overview Correctness challenges in Barrelfish. System configuration using SAT. Tracing and online invariant checking. Better languages for Systems. 18 January 2016

slide-1
SLIDE 1

Formal Methods and Systems

David Cock, ETH Zürich

18/01/16

slide-2
SLIDE 2

18 January 2016 Industry Retreat 2016 2

Overview

  • Correctness challenges in Barrelfish.
  • System configuration using SAT.
  • Tracing and online invariant checking.
  • Better languages for Systems.
slide-3
SLIDE 3

18 January 2016 Industry Retreat 2016 3

The State of the Fish

  • 7 architectures: OMAP44xx,

ARMv7/GEM5, X-Gene 1, ARMv8/GEM5, Xeon Phi, x86-64, x86-32

  • 42 applications + 51 test apps
  • 9 languages
  • 32 committers
  • 9 years old
  • > 1.1M lines of code

This is no longer a small research project! We're starting to see the engineering challenges of a large system.

slide-4
SLIDE 4

18 January 2016 Industry Retreat 2016 4

Getting It Right

A lesson from history: It's easier to prove code correct, if it actually is correct!

  • We embarked on a new port last year: ARMv8.
  • This forced us to face some codebase “challenges”.
  • We now support fewer platforms, more thoroughly.
  • We now make a core vs. non-core distribution.
  • Proper debugging is coming (more later).
slide-5
SLIDE 5

18 January 2016 Industry Retreat 2016 5

SAT Solving and the SKB

slide-6
SLIDE 6

18 January 2016 Industry Retreat 2016 6

CLP solver (Prolog + constraints) CLP solver (Prolog + constraints)

Handling OS complexity

  • System Knowledge Base

– Hardware info – Runtime state

  • Rich semantic model

– Represent the hardware – Reason about it – Embed policy choices

Hardware data and specifjcation Runtime system information

slide-7
SLIDE 7

18 January 2016 Industry Retreat 2016 7

What goes in?

  • Hardware resource discovery

– E.g. PCI enumeration, ACPI, CPUID…

  • Online hardware profiling

– Inter-core all-pairs latency, cache measurements…

  • Operating system state

– Locks, process placement, etc.

  • “Things we just know”

– SoC specs, assertions from data sheets, etc.

CLP solver (Prolog + constraints) CLP solver (Prolog + constraints)

slide-8
SLIDE 8

18 January 2016 Industry Retreat 2016 8

Current SKB applications

  • General name server / service registry
  • Coordination service / lock manager
  • Device management

– Driver startup / hotplug

  • PCIe bridge configuration

– A surprisingly hard CSAT problem!

  • Intra-machine routing

– Efficient multicast tree construction

  • Cache-aware thread placement

– Used by e.g. databases for query planning

CLP solver (Prolog + constraints) CLP solver (Prolog + constraints)

slide-9
SLIDE 9

18 January 2016 Industry Retreat 2016 9

Prolog + SAT

  • There are limits to what Prolog will efficiently solve.
  • Address allocation under alignment constraints e.g.

PCI, is better expressed in terms of bits.

  • SAT solvers have gotten really good lately.
  • Can we express PCI bridge config as SAT (yes!).
  • Can we put a SAT solver in the SKB (research!).
slide-10
SLIDE 10

18 January 2016 Industry Retreat 2016 10

Tracing for Invariants

slide-11
SLIDE 11

18 January 2016 Industry Retreat 2016 11

HW Tracing for Correctness

unmap(pa); cleanDCache(); flushTLB();

Are HW operatjons right?

5Gb/s Filter at line rate Check temporal assertjons Log & process offmine

  • Real time pipeline trace on ARM.
  • Can halt and inspect caches.
  • HW has “errata” (bugs).
  • Check that it actually works!
  • Catch transient and race bugs.
slide-12
SLIDE 12

18 January 2016 Industry Retreat 2016 12

HW Tracing for Performance

5Gb/s Filter at line rate Log & process offmine

12

URPC[0]= x; URPC[1]= 1; while(!URPC[1]); x= URPC[0];

1 2

x 1 x

Core 0 Core 1

Cache 0 Cache 1

INVAL(0) READ(1) …

Is URPC optjmal?

  • Should see N coherency messages.
  • Do we?

‐ The HW knows!

slide-13
SLIDE 13

18 January 2016 Industry Retreat 2016 13

Online Example: LTL to Büchi

  • LTL(-ish) formula: A store on core 1 is

eventually visible on core 2.

  • Think regular expressions for infinite

streams.

  • As for REs, we compile a checking

automaton.

  • Run the automaton in real time and

look for violations.

slide-14
SLIDE 14

18 January 2016 Industry Retreat 2016 14

Could We Trace a Rack?

  • Barrelfish is aiming for rack-scale single-

image systems.

  • We'll rely on a lot of coordination and

consensus algorithms.

  • It would be really useful to debug these

noninvasively.

  • 64 SoCs x 5Gb/s = 320Gb/s trace output.
  • That'll need some data reduction, but it's

very feasible.

  • Online checkers (e.g. automata) will be

essential at this scale and up.

slide-15
SLIDE 15

Languages

slide-16
SLIDE 16

Languages and Formal Methods

  • Practical kernels are C/C++/ASM
  • Some things we might like:

– First-class messaging (Go) – Specifying layout (Rust)

The hard part about reasoning about “C”, is that we keep stepping

  • utside the language.
slide-17
SLIDE 17

What Should We Write Kernels In?

  • Some languages have some of what we want:

– No runtime, high performance (C) – Predictable resource usage (C, Rust) – Clear and clean semantics (Haskell, Rust?)

  • No languages have everything (yet):

– Enough expressive power: Can you enable the MMU, or

thread switch without breaking the language rules?

  • We should experiment with this: start with

Clang/LLVM, drop the ugly parts?

slide-18
SLIDE 18

18 January 2016 Industry Retreat 2016 18

Poster on HW tracing this evening.