OS scheduling behavior in the presence of interrupt-induced - - PowerPoint PPT Presentation

os scheduling behavior
SMART_READER_LITE
LIVE PREVIEW

OS scheduling behavior in the presence of interrupt-induced - - PowerPoint PPT Presentation

Sep 18, 2022 314 likes •575 views

Proof of OS scheduling behavior in the presence of interrupt-induced concurrency June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, Christine Rizkallah May 2016 http://trustworthy.systems/ Mission and Approach * eChronos Embedded

slide-1
SLIDE 1

http://trustworthy.systems/

June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, Christine Rizkallah May 2016

Proof of

OS scheduling behavior

in the presence of

interrupt-induced concurrency

slide-2
SLIDE 2

Interrupts in OS code | June Andronick

Mission and Approach

2

eChronos

Embedded OS

constrained HW no memory protection low latency

*model-level proof of

scheduling correctness

(interruptible, single-core, preemptive multi-threaded)

*

Concurrency:

shared-memory racy controlled

Owicki-Gries

Simple foundational concurrency method

conceptually simple shared-variable reasoning

Isabelle/HOL

Modern theorem prover

machine-checked proofs automation

+ AWAIT-painting + proof engineering

slide-3
SLIDE 3

Interrupts in OS code | June Andronick

Embedded OSes — eChronos

3

task A task B

applications

scheduler

internal functions

R C B

C=current R=runnable B=blocked

OS

signal_send signal_wait

API

  • allows applications to be organised in tasks

What:

  • provides library of synchronisation primitives
  • schedules tasks according to some policy (e.g. priorities)

(Joint development with Breakaway Consulting)

  • small OS library (~500 SLOC)

Target:

  • preemptive scheduling (not cooperative)

can call

  • ARM platform (nested interrupts…)

handler 1 handler 2 handler 3

triggers can call (some)

interrupt 1 interrupt 2 interrupt 3

“running task is highest priority runnable task”

slide-4
SLIDE 4

Interrupts in OS code | June Andronick 4

Scheduling behavior, informally

task A task B

  • OS function call

internal-stuff R:= handleEvent R E next:= schedPolicy R switch next E:=... schedReq rfi

R and E read and updated without locks

The system When executing internal-stuff, current thread should be (policy (update R E)) The property scheduler handler 1 handler 2 handler 3 ... R:= ... ... Execution can non-deterministically jump to from anywhere else

slide-5
SLIDE 5

Interrupts in OS code | June Andronick 5

Overview

The system

definition ITake(X) ≡ ... definition IRet(X) ≡ ...

Generic interleaving

definition interleaving ... ≡ A1‖ …‖ An‖ Sched‖ H1‖ …‖ Hm

HW API

definition echronos-sys ≡ interleaving … … …

eChronos instantiation

Model of

“running task is highest priority runnable task”

definition sched_inv ≡ (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ schedPolicy (handleEvent E R) = AT

theorem ⊩i{sched_inv} {⊤} echronos_sys {⊥}

The property

Model of

∼3, 000 subgoals done

slide-6
SLIDE 6

Interrupts in OS code | June Andronick 6

Interleaving

task A

1 handler 1 task B sched

1

2 handler 2 handlers are interruptible (not preemptible)

4

application code is interruptible and preemptible

1

2

OS code is interruptible but not preemptible

1 scheduler code is interruptible but not preemptible

3

Our model covers all these interleavings

slide-7
SLIDE 7

Interrupts in OS code | June Andronick

Interleaving: model

7

handler 1 task A task B sched

code_A || code_B || code_sch || code_H1

handler 2

|| code_H2

handler 3

|| code_H3 Concurrency only happens here

We first allow full concurrency and then we restrict it! Owicki-Gries We “await-paint”

slide-8
SLIDE 8

Interrupts in OS code | June Andronick

{P} c1;{P2} {P2}c2;{P3} {P3}c3;{Q}

Owicki-Gries

8

(Suzanne Owicki and David Gries,1976)

Extension of Hoare logic to shared-variable parallel programs What:

c ≡ x := v | c1 ; c2 | IF b THEN c1 ELSE c2 FI | WHILE b DO c OD | cobegin c1 || c2 || ... || cn coend | AWAIT b THEN c END

Hoare logic:

{P} c {Q}

OG: {P} c1;

c2; c3;

{Q} {P2} {P3} || {P’} c1’; {P2’}c2’; {P3’}c3’; {Q’}

VCG

(Leonor Prensa Nieto,2002)

slide-9
SLIDE 9

Interrupts in OS code | June Andronick

Owicki-Gries

9

(Suzanne Owicki and David Gries,1976)

Extension of Hoare logic to shared-variable parallel programs What:

c ≡ x := v | c1 ; c2 | IF b THEN c1 ELSE c2 FI | WHILE b DO c OD | cobegin c1 || c2 || ... || cn coend | AWAIT b THEN c END

Hoare logic:

{P} c {Q}

OG:

VCG

  • local correctness prove each {ai} ci {ai+1}
  • interference freedom for each assertion a in P,

and each command c’ in P’, prove that {a ∧ a’} c’ {a}

VCG

slide-10
SLIDE 10

Interrupts in OS code | June Andronick

Owicki-Gries

10

(Suzanne Owicki and David Gries,1976)

Extension of Hoare logic to shared-variable parallel programs What:

c ≡ x := v | c1 ; c2 | IF b THEN c1 ELSE c2 FI | WHILE b DO c OD | cobegin c1 || c2 || ... || cn coend | AWAIT b THEN c END

Hoare logic:

{P} c {Q}

OG:

VCG VCG

! requires fully annotated program ! quadratic explosion of verification conditions ! not compositional

slide-11
SLIDE 11

Interrupts in OS code | June Andronick

Interleaving: model

11

handler 1 task A task B sched

code_A || code_B || code_sch || code_H1

handler 2

|| code_H2

handler 3

|| code_H3 Concurrency only happens here

We first allow full concurrency and then we restrict it! Owicki-Gries We “await-paint”

slide-12
SLIDE 12

Interrupts in OS code | June Andronick 12

task A task B

code_A || code_B || AWAIT AT=A THEN {P1}a1; AWAIT AT=A THEN {P2}a2; AWAIT AT=A THEN {P3}a3; AWAIT AT=B THEN {R1}b1; AWAIT AT=B THEN {R2}b2; AWAIT AT=B THEN {R3}b3;

➡ We introduce: Variable AT (Active Task) ➡ We “AWAIT-paint” almost all statements:

➡ Interleaving is controlled by hardware operations:

taking interrupts, return-from-interrupt, context switch

AT:=task_id;

Await Painting

await_paint A code_A; || await_paint B code_B; SCHEME [0≤i<n] WHILE True DO await_paint Ai code_Ai

END

slide-13
SLIDE 13

Interrupts in OS code | June Andronick 13

handler H1 task A1 task An sched

code_A1 || code_An || code_sch || code_H1

handler Hm

|| code_Hm || ... ... || SCHEME [0≤i<n] WHILE True DO await_paint Ai code_Ai

END

SCHEME [0≤j<m] WHILE True DO ITake(Hj) await_paint Hj code_Hj await_paint Hj IRet()

END

... ...

Interleaving: model

WHILE True DO ITakeSched() await_paint sched code_sch await_paint sched IRet() END

slide-14
SLIDE 14

Interrupts in OS code | June Andronick 14 SCHEME [0≤i<n] WHILE True DO await_paint Ai code_Ai

END

SCHEME [0≤j<m] WHILE True DO ITake(Hj) await_paint Hj code_Hj await_paint Hj IRet()

END

WHILE True DO ITakeSched() await_paint sched code_sch await_paint sched IRet() END

|| ||

Full model

Generic interrupt-induced interleaving definition interleaving code_Ai code_sch code_Hj ≡ definition ITake(X) ≡ ... definition IRet(X) ≡ ... definition ITakeSched() ≡ ... HW API ITake Hj ≡ AWAIT Hj ∈ EI-ATStack ⋀ Hj ∈ interrupt-policy (AT) THEN ATStack:=AT#ATStack; AT:=Hj END

More precisely:

definition Int-Disable(X) ≡ EI:= EI - X definition Int-Enable(X) ≡ EI:= EI ∪ X ITake Hj ≡ AT:=Hj

Intuitively:

AT Model variables , EI, ATStack

slide-15
SLIDE 15

Interrupts in OS code | June Andronick 15 SCHEME [0≤i<n] WHILE True DO await_paint Ai code_Ai

END

SCHEME [0≤j<m] WHILE True DO ITake(Hj) await_paint Hj code_Hj await_paint Hj IRet()

END

WHILE True DO ITakeSched() await_paint sched code_sch await_paint sched IRet() END

|| ||

Full model

definition ITake(X) ≡ ... definition IRet(X) ≡ ... definition ITakeSched() ≡ ... AT Generic interrupt-induced interleaving definition interleaving code_Ai code_sch code_Hj ≡ HW API definition Int-Disable(X) ≡ EI:= EI - X definition Int-Enable(X) ≡ EI:= EI ∪ X Model variables , EI, ATStack definition echronos-sys ≡ interleaving echr_Ai echr_sch echr_Hj R:= handleEvent R E next:= schedPolicy R switch next E:=... schedReq rfi Int-Disable(sched) OS function call Int—Enable(sched) internal-stuff

eChronos instantiation (~200 lines of parallel program) echr_Ai ⋍ echr_sch ⋍ echr_Hj ⋍

slide-16
SLIDE 16

Interrupts in OS code | June Andronick 16

Overview

The system

definition ITake(X) ≡ ... definition IRet(X) ≡ ...

Generic interleaving

definition interleaving ... ≡ A1‖ …‖ An‖ Sched‖ H1‖ …‖ Hm

HW API

definition echronos-sys ≡ interleaving … … …

eChronos instantiation

Model of

“running task is highest priority runnable task”

definition sched_inv ≡ (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ schedPolicy (handleEvent E R) = AT

theorem ⊩i{sched_inv} {⊤} echronos_sys {⊥}

The property

Model of

∼3, 000 subgoals done

slide-17
SLIDE 17

Interrupts in OS code | June Andronick

eChronos scheduling correctness

17

English: Formally: Where:

“the running task is the highest-priority runnable task”

definition sched_inv ≡ (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ schedPolicy (handleEvent E R) = AT theorem ⊩i {sched_inv} {⊤} echronos_sys {⊥}

task A

1

1

slide-18
SLIDE 18

Interrupts in OS code | June Andronick

Proof framework

18

I’ ⊩i I p c q

We add support for assumed invariants: We add support for proving invariants compositionally:

(Leonor Prensa Nieto,2002)

⊩ p c q

OG gives us derivation rules: But here it needs an invariant :

⊩i I p c q

slide-19
SLIDE 19

Interrupts in OS code | June Andronick

Proof overview

19

Goal:

theorem ⊩i {sched_inv} {⊤} echronos_sys {⊥} lemma {helper_invs} ⊩i {sched_inv} {⊤} echronos_sys {⊥} lemma ⊩i {helper_invs} {⊤} echronos_sys {⊥}

Using compositionally lemma:

definition helper_invs ≡ I1 ⋀ ... ⋀ I9

Where: Examples:

definition last-stack-inv ≡ last (AT#ATStack) ∈ User_tasks

slide-20
SLIDE 20

Interrupts in OS code | June Andronick

Proof engineering!

20

Goal:

lemma {helper_invs} ⊩i {sched_inv} {⊤} echronos_sys {⊥} lemma ⊩i {helper_invs} {⊤} echronos_sys {⊥}

VCG ∼3, 000 subgoals ∼30 subgoals custom tactic

add/fix annotations tweak the tactic

slide-21
SLIDE 21

Interrupts in OS code | June Andronick

Proof engineering!

21

Goal:

lemma {helper_invs} ⊩i {sched_inv} {⊤} echronos_sys {⊥} lemma ⊩i {helper_invs} {⊤} echronos_sys {⊥}

VCG ∼3, 000 subgoals

tweak the tactic

apply (tactic T) run T’ in parallel on all subgoals subst or simp only with specific rules forward rules, no simp, only by assumption simp with some only… blast clarsimps fastforce try T1 orelse try T2 orelse try T3 orelse ... (clean-up — not using simp) (prework — not using simp)

0 subgoals✓

(each time you change annotations!)

(∼90s) (∼1h) custom tactic

slide-22
SLIDE 22

Interrupts in OS code | June Andronick

Proof engineering!

22

Goal:

lemma {helper_invs} ⊩i {sched_inv} {⊤} echronos_sys {⊥} lemma ⊩i {helper_invs} {⊤} echronos_sys {⊥}

VCG ∼3, 000 subgoals

apply (tactic T) subst or simp only with specific rules forward rules, no simp, only by assumption simp with some only… blast clarsimps fastforce run T’ in parallel on all subgoals try T1 orelse try T2 orelse try T3 orelse ... (clean-up — not using simp) (prework — not using simp)

0 subgoals✓ (∼90s) (∼1h) ➡ deduplication 1, 000 ➡ removed redundant computation 5s 5-30min ➡ subgoal proof skipping (*unsafe*) 5-30s

with CACHE-ON

custom tactic

slide-23
SLIDE 23

Interrupts in OS code | June Andronick 23

Summary

The system

definition ITake(X) ≡ ... definition IRet(X) ≡ ...

Generic interleaving

definition interleaving ... ≡ A1‖ …‖ An‖ Sched‖ H1‖ …‖ Hm

HW API

definition echronos-sys ≡ interleaving … … …

eChronos instantiation

Model of

“running task is highest priority runnable task”

definition sched_inv ≡ (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ schedPolicy (handleEvent E R) = AT

theorem ⊩i{sched_inv} {⊤} echronos_sys {⊥}

The property

Model of

∼3, 000 subgoals done

slide-24
SLIDE 24

Interrupts in OS code | June Andronick

Next?

24

➡ down to the code! ➡ link to more detailed API Spec

definition echronos-sys ≡ interleaving echr_Ai echr_sch echr_Hj R:= handleEvent R E next:= schedPolicy R switch next E:=... schedReq rfi Int-Disable(sched) OS function call Int—Enable(sched) internal-stuff

echr_Ai ⋍ echr_sch ⋍ echr_Hj ⋍

slide-25
SLIDE 25

Thank you