Schedulability Analysis as Evidence? Bjrn Brandenburg Max Planck - - PowerPoint PPT Presentation

Schedulability Analysis as Evidence?

Björn Brandenburg Max Planck Institute for Software Systems (MPI-SWS)

1

Schedulability Analysis as Evidence?

Can safety case rely on schedulability analysis? Safety Case ← Argument ← Evidence ← Methodology

2

Schedulability Analysis as Evidence?

Can safety case rely on schedulability analysis? Safety Case ← Argument ← Evidence ← Methodology “Is the methodology agreed as effective?” -- Philippa Ryan

• Does it “work”?
• Is it sound? Actually all deadlines met if analysis says ‘yes’?

3

Schedulability Analysis as Evidence?

Can safety case rely on schedulability analysis? Safety Case ← Argument ← Evidence ← Methodology “Is the methodology agreed as effective?” -- Philippa Ryan

• Does it “work”?
• Is it sound? Actually all deadlines met if analysis says ‘yes’?

3

Schedulability Analysis as Evidence?

Can safety case rely on schedulability analysis? Safety Case ← Argument ← Evidence ← Methodology “Is the methodology agreed as effective?” -- Philippa Ryan

• Does it “work”?
• Is it sound? Actually all deadlines met if analysis says ‘yes’?

3

Advanced Analysis for Mixed- Criticality Systems?

It’s been peer-reviewed — should it be deemed effective?

• Difficult to predict the future.

Let’s take a look at the history of real-time scheduling…

4

Advanced Analysis for Mixed- Criticality Systems?

It’s been peer-reviewed — should it be deemed effective?

• Difficult to predict the future.

Let’s take a look at the history of real-time scheduling…

4

A Look Back (1/4)

Liu & Layland (1973)

• Raymond Devillers and Joël Goossens, “Liu and Layland’s

schedulability test revisited”, Information Processing Letters, 73(5):157–161, 2000.

5

A Look Back (1/4)

Liu & Layland (1973)

• Raymond Devillers and Joël Goossens, “Liu and Layland’s

schedulability test revisited”, Information Processing Letters, 73(5):157–161, 2000.

5

A Look Back (2/4)

Response-Time Analysis (RTA) — deceptively simple

• implicit/constrained deadlines vs. arbitrary deadlines
• preemptive vs. non-preemptive scheduling [13 years]
• Jitter vs. general self-suspensions [20 years]
• Jian-Jia Chen et al. Many suspensions, many problems: A review
• f self-suspending tasks in real-time systems. Technical Report

854 (rev. 2), Dep. of Computer Science, TU Dortmund, March 2017.

6

A Look Back (2/4)

Response-Time Analysis (RTA) — deceptively simple

• implicit/constrained deadlines vs. arbitrary deadlines
• preemptive vs. non-preemptive scheduling [13 years]
• Jitter vs. general self-suspensions [20 years]
• Jian-Jia Chen et al. Many suspensions, many problems: A review
• f self-suspending tasks in real-time systems. Technical Report

854 (rev. 2), Dep. of Computer Science, TU Dortmund, March 2017.

6

A Look Back (2/4)

Response-Time Analysis (RTA) — deceptively simple

• implicit/constrained deadlines vs. arbitrary deadlines
• preemptive vs. non-preemptive scheduling [13 years]
• Jitter vs. general self-suspensions [20 years]
• Jian-Jia Chen et al. Many suspensions, many problems: A review
• f self-suspending tasks in real-time systems. Technical Report

854 (rev. 2), Dep. of Computer Science, TU Dortmund, March 2017.

6

A Look Back (2/4)

Response-Time Analysis (RTA) — deceptively simple

• implicit/constrained deadlines vs. arbitrary deadlines
• preemptive vs. non-preemptive scheduling [13 years]
• Jitter vs. general self-suspensions [20 years]
• Jian-Jia Chen et al. Many suspensions, many problems: A review
• f self-suspending tasks in real-time systems. Technical Report

854 (rev. 2), Dep. of Computer Science, TU Dortmund, March 2017.

6

A Look Back (2/4)

Response-Time Analysis (RTA) — deceptively simple

• implicit/constrained deadlines vs. arbitrary deadlines
• preemptive vs. non-preemptive scheduling [13 years]
• Jitter vs. general self-suspensions [20 years]
• Jian-Jia Chen et al. Many suspensions, many problems: A review
• f self-suspending tasks in real-time systems. Technical Report

854 (rev. 2), Dep. of Computer Science, TU Dortmund, March 2017.

6

A Look Back (3/4)

Multiprocessor Priority Ceiling Protocol (1990):

• Maolin Yang, Jian-Jia Chen, and Wen-Hung Huang. A misconception

in blocking time analyses under multiprocessor synchronization

• protocols. Real-Time Systems, 53(2):187–195, 2017.

[MPCP analysis (+others) assumes wrong critical instant]

• Jian-Jia Chen and Björn Brandenburg. A note on the period enforcer

algorithm for self-suspending tasks. Leibniz Transactions on Embedded Systems, 4(1), 2017. [Period enforcer incompatible with locking protocols / existing analyses]

7

A Look Back (3/4)

Multiprocessor Priority Ceiling Protocol (1990):

• Maolin Yang, Jian-Jia Chen, and Wen-Hung Huang. A misconception

in blocking time analyses under multiprocessor synchronization

• protocols. Real-Time Systems, 53(2):187–195, 2017.

[MPCP analysis (+others) assumes wrong critical instant]

• Jian-Jia Chen and Björn Brandenburg. A note on the period enforcer

algorithm for self-suspending tasks. Leibniz Transactions on Embedded Systems, 4(1), 2017. [Period enforcer incompatible with locking protocols / existing analyses]

7

A Look Back (3/4)

Multiprocessor Priority Ceiling Protocol (1990):

• Maolin Yang, Jian-Jia Chen, and Wen-Hung Huang. A misconception

in blocking time analyses under multiprocessor synchronization

• protocols. Real-Time Systems, 53(2):187–195, 2017.

[MPCP analysis (+others) assumes wrong critical instant]

• Jian-Jia Chen and Björn Brandenburg. A note on the period enforcer

algorithm for self-suspending tasks. Leibniz Transactions on Embedded Systems, 4(1), 2017. [Period enforcer incompatible with locking protocols / existing analyses]

7

A Look Back (4/4)

Scheduling with Arbitrary Processor Affinities

• A. Gujarati, F. Cerqueira, and B. Brandenburg. Schedulability Analysis of

the Linux Push and Pull Scheduler with Arbitrary Processor Affinities.

• Proc. ECRTS’13.

[incorrect over-generalization: proposed reduction technique works only for a few, not all global schedulability tests]

• Bug also present in extended journal paper

➔ got past (at least) six reviewers! ➔ unrealistic and unreasonable to expect reviewers to determine correctness

8

A Look Back (4/4)

Scheduling with Arbitrary Processor Affinities

• A. Gujarati, F. Cerqueira, and B. Brandenburg. Schedulability Analysis of

the Linux Push and Pull Scheduler with Arbitrary Processor Affinities.

• Proc. ECRTS’13.

[incorrect over-generalization: proposed reduction technique works only for a few, not all global schedulability tests]

• Bug also present in extended journal paper

➔ got past (at least) six reviewers! ➔ unrealistic and unreasonable to expect reviewers to determine correctness

8

A Look Back (4/4)

Scheduling with Arbitrary Processor Affinities

• A. Gujarati, F. Cerqueira, and B. Brandenburg. Schedulability Analysis of

the Linux Push and Pull Scheduler with Arbitrary Processor Affinities.

• Proc. ECRTS’13.

[incorrect over-generalization: proposed reduction technique works only for a few, not all global schedulability tests]

• Bug also present in extended journal paper

➔ got past (at least) six reviewers! ➔ unrealistic and unreasonable to expect reviewers to determine correctness

8

Mixed-Criticality Analysis is not Any Easier than Classic Schedulability Analysis!

…so what can we do?

• OPEN PROBLEM

How to make complex schedulability analysis trustworthy?

• DESPITE

➔ increasing model fidelity & complexity ➔ increasing proof sophistication & non-obvious correctness criteria

9

Mixed-Criticality Analysis is not Any Easier than Classic Schedulability Analysis!

…so what can we do?

• OPEN PROBLEM

How to make complex schedulability analysis trustworthy?

• DESPITE

➔ increasing model fidelity & complexity ➔ increasing proof sophistication & non-obvious correctness criteria

9

Mixed-Criticality Analysis is not Any Easier than Classic Schedulability Analysis!

…so what can we do?

• OPEN PROBLEM

How to make complex schedulability analysis trustworthy?

• DESPITE

➔ increasing model fidelity & complexity ➔ increasing proof sophistication & non-obvious correctness criteria

9

10

PROSA: Formally Proven Schedulability Analysis

An open-source effort to formally verify the core of real-time scheduling theory, with the help of the Coq proof assistant.

• Precise, unambiguous, uniform definitions
• All assumptions explicit
• Guaranteed-correct proofs: all claims in Prosa have

machine-checked proofs, which rules out human error!

11

PROSA: Formally Proven Schedulability Analysis

An open-source effort to formally verify the core of real-time scheduling theory, with the help of the Coq proof assistant.

• Precise, unambiguous, uniform definitions
• All assumptions explicit
• Guaranteed-correct proofs: all claims in Prosa have

machine-checked proofs, which rules out human error!

11

PROSA: Formally Proven Schedulability Analysis

An open-source effort to formally verify the core of real-time scheduling theory, with the help of the Coq proof assistant.

• Precise, unambiguous, uniform definitions
• All assumptions explicit
• Guaranteed-correct proofs: all claims in Prosa have

machine-checked proofs, which rules out human error!

11

PROSA: Formally Proven Schedulability Analysis

An open-source effort to formally verify the core of real-time scheduling theory, with the help of the Coq proof assistant.

• Precise, unambiguous, uniform definitions
• All assumptions explicit
• Guaranteed-correct proofs: all claims in Prosa have

machine-checked proofs, which rules out human error!

11

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What can you do with Prosa?

• 1. Know which results you can trust.

➔ schedulability analysis as evidence

• 2. Understand proofs of classic (and new) claims in full detail.
• 3. Adopt an accepted, precise model: don’t reinvent the wheel.
• 4. Prepare your proofs so that they can be automatically

checked ➔ avoid errors in new results.

• 5. Make life easier for peer reviewers.

12

What Prosa is NOT

• Prosa is not a model checker: no exhaustive exploration, no

resource limits ➔ human intelligence is the bottleneck, not machine resources

• Prosa will not find bugs in existing “proofs”

➔ but will also not allow you to construct false “proofs”

• Prosa will not automatically find proofs for your claims

➔ Coq is a proof assistant, not an automatic theorem prover

13

What Prosa is NOT

• Prosa is not a model checker: no exhaustive exploration, no

resource limits ➔ human intelligence is the bottleneck, not machine resources

• Prosa will not find bugs in existing “proofs”

➔ but will also not allow you to construct false “proofs”

• Prosa will not automatically find proofs for your claims

➔ Coq is a proof assistant, not an automatic theorem prover

13

What Prosa is NOT

• Prosa is not a model checker: no exhaustive exploration, no

resource limits ➔ human intelligence is the bottleneck, not machine resources

• Prosa will not find bugs in existing “proofs”

➔ but will also not allow you to construct false “proofs”

• Prosa will not automatically find proofs for your claims

➔ Coq is a proof assistant, not an automatic theorem prover

13

What Prosa is NOT

• Prosa is not a model checker: no exhaustive exploration, no

resource limits ➔ human intelligence is the bottleneck, not machine resources

• Prosa will not find bugs in existing “proofs”

➔ but will also not allow you to construct false “proofs”

• Prosa will not automatically find proofs for your claims

➔ Coq is a proof assistant, not an automatic theorem prover

13

What does Prosa consist of?

• 1. Definitions: jobs, arrival sequences, schedules, tasks, scheduling policies,

service, job completion, response-time bounds, … ➔ goal: as simple and tasteful as possible

• 2. Algorithms: response-time analysis, schedule transformations, …
• 3. Formal Claims: e.g., expressing “if there exists a positive fixed-point

, where , then is a response-time bound.” ➔ focus: primarily soundness

• 4. Mechanized Proofs: invocations of tactics (i.e., macros) that produce “proof

assembly code” to construct a proof tree in basic logic. ➔ the payoff: machine-checked, thus guaranteed correct

14

What does Prosa consist of?

• 1. Definitions: jobs, arrival sequences, schedules, tasks, scheduling policies,

service, job completion, response-time bounds, … ➔ goal: as simple and tasteful as possible

• 2. Algorithms: response-time analysis, schedule transformations, …
• 3. Formal Claims: e.g., expressing “if there exists a positive fixed-point

, where , then is a response-time bound.” ➔ focus: primarily soundness

• 4. Mechanized Proofs: invocations of tactics (i.e., macros) that produce “proof

assembly code” to construct a proof tree in basic logic. ➔ the payoff: machine-checked, thus guaranteed correct

14

What does Prosa consist of?

• 1. Definitions: jobs, arrival sequences, schedules, tasks, scheduling policies,

service, job completion, response-time bounds, … ➔ goal: as simple and tasteful as possible

• 2. Algorithms: response-time analysis, schedule transformations, …
• 3. Formal Claims: e.g., expressing “if there exists a positive fixed-point

, where , then is a response-time bound.” ➔ focus: primarily soundness

• 4. Mechanized Proofs: invocations of tactics (i.e., macros) that produce “proof

assembly code” to construct a proof tree in basic logic. ➔ the payoff: machine-checked, thus guaranteed correct

14

What does Prosa consist of?

• 1. Definitions: jobs, arrival sequences, schedules, tasks, scheduling policies,

service, job completion, response-time bounds, … ➔ goal: as simple and tasteful as possible

• 2. Algorithms: response-time analysis, schedule transformations, …
• 3. Formal Claims: e.g., expressing “if there exists a positive fixed-point

, where , then is a response-time bound.” ➔ focus: primarily soundness

• 4. Mechanized Proofs: invocations of tactics (i.e., macros) that produce “proof

assembly code” to construct a proof tree in basic logic. ➔ the payoff: machine-checked, thus guaranteed correct

14

What does Prosa consist of?

• 1. Definitions: jobs, arrival sequences, schedules, tasks, scheduling policies,

service, job completion, response-time bounds, … ➔ goal: as simple and tasteful as possible

• 2. Algorithms: response-time analysis, schedule transformations, …
• 3. Formal Claims: e.g., expressing “if there exists a positive fixed-point

, where , then is a response-time bound.” ➔ focus: primarily soundness

• 4. Mechanized Proofs: invocations of tactics (i.e., macros) that produce “proof

assembly code” to construct a proof tree in basic logic. ➔ the payoff: machine-checked, thus guaranteed correct

14

Example: Definitions (1/2)

Goal: Short, Obvious, and Natural Definitions

(* Consider any uniprocessor schedule. *) Variable sched: schedule Job. (* Let j be any job. *) Variable j: Job. (* First, we define whether a job j is scheduled at time t, ... *) Definition scheduled_at (t: time) := sched t == Some j.

15

Example: Definitions (2/2)

(* ...which also yields the instantaneous service received by job j at time t (i.e., either 0 or 1). *) Definition service_at (t: time) : time := scheduled_at t. (* Based on the notion of instantaneous service, we define the cumulative service received by job j during any interval [t1, t2). *) Definition service_during (t1 t2: time) := \sum_(t1 <= t < t2) service_at t.

16

Example: Claims (1/2)

(* Consider any uniprocessor schedule. *) Variable sched: schedule Job. (* Let j be any job that is to be scheduled. *) Variable j: Job. Lemma service_at_most_one: ∀ t, service_at sched j t <= 1.

Goal: natural, explicit, readable, as short as sensible.

17

Example: Claims (2/2)

(* ...which implies that the cumulative service received by job j in any interval of length delta is at most delta. *) Lemma cumulative_service_le_delta: ∀ t delta, service_during sched j t (t + delta) <= delta.

18

Example: Proof scripts

NOTE: proof scripts are not intended for human consumption.

Lemma cumulative_service_le_delta: ∀ t delta, service_during sched j t (t + delta) <= delta. Proof. unfold service_during; intros t delta. apply leq_trans with (n := \sum_(t <= t0 < t + delta) 1); last by simpl_sum_const; rewrite addKn leqnn. by apply leq_sum; intros t0 _; apply leq_b1. Qed.

19

Remaining Risks?

How could analysis still be unsound?

• 1. A bug in the Coq proof assistant

➔ highly unlikely, but not impossible ➔ proof checking kernel: small, simple, widely used

• 2. Contradicting hypotheses: can “prove” anything from

➔ possible in principle, but... ➔ …ruled out in Prosa by development process

• 3. Nonsensical specification: e.g., meaning of “jitter”, “release”, “arrival”?

➔ readable specification + community review!

20

Remaining Risks?

How could analysis still be unsound?

• 1. A bug in the Coq proof assistant

➔ highly unlikely, but not impossible ➔ proof checking kernel: small, simple, widely used

• 2. Contradicting hypotheses: can “prove” anything from

➔ possible in principle, but... ➔ …ruled out in Prosa by development process

• 3. Nonsensical specification: e.g., meaning of “jitter”, “release”, “arrival”?

➔ readable specification + community review!

20

Remaining Risks?

How could analysis still be unsound?

• 1. A bug in the Coq proof assistant

➔ highly unlikely, but not impossible ➔ proof checking kernel: small, simple, widely used

• 2. Contradicting hypotheses: can “prove” anything from

➔ possible in principle, but... ➔ …ruled out in Prosa by development process

• 3. Nonsensical specification: e.g., meaning of “jitter”, “release”, “arrival”?

➔ readable specification + community review!

20

Remaining Risks?

How could analysis still be unsound?

• 1. A bug in the Coq proof assistant

➔ highly unlikely, but not impossible ➔ proof checking kernel: small, simple, widely used

• 2. Contradicting hypotheses: can “prove” anything from

➔ possible in principle, but... ➔ …ruled out in Prosa by development process

• 3. Nonsensical specification: e.g., meaning of “jitter”, “release”, “arrival”?

➔ readable specification + community review!

20

PROSA

Trustworthy Schedulability Analysis

Learn more at: prosa.mpi-sws.org

… or propose a better way to obtain bullet-proof analysis!

21