Lets Build Provable Multicore Schedulers! Redha GOUICEM Whisper - PowerPoint PPT Presentation

Let’s Build Provable Multicore Schedulers! Redha GOUICEM Whisper team, Sorbonne Universités, Inria, LIP6 Joint work with: Gilles MULLER, Julia LAWALL (Inria, LIP6), Julien SOPENA (LIP6, UPMC), Baptiste LEPERS, Willy ZWAENPOEL (EPFL), Jean-Pierre LOZI (UNICE), Nicolas PALIX (Université Grenoble-Alpes) April 23, 2017 April 23, 2017 1/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Context Lozi et al. [EUROSYS’16] found bugs in the Linux scheduler, eg. violation of work conservation property Work conservation : process waiting to be scheduled ⇒ no idle core April 23, 2017 1/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Context Lozi et al. [EUROSYS’16] found bugs in the Linux scheduler, eg. violation of work conservation property Work conservation : process waiting to be scheduled ⇒ no idle core Some cores are idle while others are overloaded April 23, 2017 1/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Problem: Finding bugs Linux scheduler (CFS) is growing fast in terms of complexity (lines of code, variables, functions, structures) kernel/sched/fair.c codebase history: ./fair.c Count Lines of Code Functions 8000 300 code static_func 7000 250 comment func 6000 200 5000 Number Number 4000 150 3000 100 2000 50 1000 0 0 2007 2009 2011 2013 2015 2017 2007 2009 2011 2013 2015 2017 Date Date Variables Struct 30 6 static_var struct 25 5 var 20 4 Number Number 15 3 10 2 5 1 0 0 2007 2009 2011 2013 2015 2017 2007 2009 2011 2013 2015 2017 Date Date ⇒ difficult to maintain and add features April 23, 2017 2/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Contribution Ipanema , a DSL for proved multicore schedulers Based on Bossa [HASE’05], an event-based DSL for single-core schedulers April 23, 2017 3/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Contribution Ipanema , a DSL for proved multicore schedulers Based on Bossa [HASE’05], an event-based DSL for single-core schedulers DSL policy Leon compiler C compiler Compiled C policy Compiled Leon (Kernel module) Code Scheduling events Ipanema API Proofs Kernel hooks Kernel API April 23, 2017 3/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Contribution Ipanema = Bossa + load balancing + proofs BEFORE new() loadBalance() READY exit() block() yield() schedule() tick() TERMINATED RUNNING exit() block() BLOCKED unblock() exit() April 23, 2017 4/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Contribution Ipanema = Bossa + load balancing + proofs All cores BEFORE 1 Filter new() loadBalance() READY Stealable exit() cores block() yield() schedule() tick() 2 Select TERMINATED RUNNING exit() Stolen block() core BLOCKED unblock() exit() 3 Steal April 23, 2017 4/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Contribution Ipanema = Bossa + load balancing + proofs All cores BEFORE 1 Filter new() loadBalance() READY Stealable exit() cores block() yield() schedule() tick() 2 Select TERMINATED RUNNING exit() Stolen block() core BLOCKED unblock() exit() 3 Steal April 23, 2017 4/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Evaluation Safety : generated kernel modules do not lead to kernel crashes or failures DSL expressivity : can we implement “all” scheduling policies ? Simplicity : can “anyone” write a scheduling policy ? Bug detection : do we prevent bugs that were found/fixed in the CFS ? April 23, 2017 5/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Code sample handler ( thread_event e) { On new { core c = first(cores order = { lowest load }); e.target.load = 0; e.target.progress = 0; e.target => c.ready; } On detach { e.target => terminated; } On tick { thread = { update_progress (e.target ); if (e.target. curr_quanta >= max_quanta) { int progress , load , last_sched , curr_quanta ; update_load (e.target , max_quanta ); } e.target => ready; } core = { } threads = { RUNNING thread current; On schedule { shared READY set <thread > ready:order = { thread t = first(ready ); lowest progress t. last_sched = now (); t. curr_quanta = 0; }; t => current; BLOCKED blocked; } TERMINATED terminated; } On unblock { int load = sum(ready.load) + core c = first(cores order = { lowest load }); valid(current) ? 1024 : 0; e.target => c.ready; } } On yield { update_progress (e.target ); update_load (e.target ,e.target. curr_quanta ); e.target => ready; } On block { update_progress (e.target ); update_load (e.target ,e.target. curr_quanta ); e.target => blocked; } } April 23, 2017 6/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Preliminary results Kernel build performance (lower is better) cfs bl_simple_decl 1000 9 8 7 6 5 4 runtime in s 3 2 100 9 8 7 6 5 0 20 40 60 80 100 # of make jobs April 23, 2017 7/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Preliminary results (2) April 23, 2017 8/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Roadmap What we have: Ipanema → C compiler Modified Linux-kernel for Ipanema: scheduling events hooks Simple policies written in Ipanema run on a modified Linux Work conservation proof in Leon for CFS-like balancing policies What remains to be done: Prove properties on policies (fairness, liveness, work conservation) Work on the Ipanema → Leon compiler to generate these proofs Evaluate April 23, 2017 9/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!

Roadmap What we have: Ipanema → C compiler Modified Linux-kernel for Ipanema: scheduling events hooks Simple policies written in Ipanema run on a modified Linux Work conservation proof in Leon for CFS-like balancing policies What remains to be done: Prove properties on policies (fairness, liveness, work conservation) Work on the Ipanema → Leon compiler to generate these proofs Evaluate April 23, 2017 9/9 Redha GOUICEM Let’s Build Provable Multicore Schedulers!