OS scheduling behavior in the presence of interrupt-induced - PowerPoint PPT Presentation

Proof of OS scheduling behavior in the presence of interrupt-induced concurrency June Andronick, Corey Lewis, Daniel Matichuk, Carroll Morgan, Christine Rizkallah May 2016 http://trustworthy.systems/

Mission and Approach * eChronos Embedded OS ( interruptible , single-core, preemptive multi-threaded) constrained HW no memory protection low latency * model-level proof of scheduling correctness Simple foundational Modern concurrency method theorem prover Concurrency: Owicki-Gries Isabelle/HOL shared-memory racy conceptually simple machine-checked proofs shared-variable reasoning automation controlled + AWAIT-painting + proof engineering 2 Interrupts in OS code | June Andronick

Embedded OSes — eChronos (Joint development with Breakaway Consulting) ‣ small OS library (~500 SLOC) What: ‣ allows applications to be organised in tasks ‣ provides library of synchronisation primitives ‣ schedules tasks according to some policy (e.g. priorities) “running task is highest priority runnable task” Target: ‣ preemptive scheduling (not cooperative) ‣ ARM platform (nested interrupts … ) OS API applications C R signal_send task A can call C=current signal_wait R=runnable task B B can call (some) B=blocked … internal functions interrupt 1 handler 1 triggers scheduler interrupt 2 handler 2 … handler 3 interrupt 3 3 Interrupts in OS code | June Andronick

Scheduling behavior, informally task A task B scheduler handler 1 handler 2 handler 3 The system ↯ internal-stuff E:=... � R:= handleEvent R E � ⊔ schedReq � next:= schedPolicy R � � ... � rfi switch next OS function call R:= ... � ... ↯ Execution can non-deterministically jump to from anywhere else R and E read and updated without locks The property When executing internal-stuff , current thread should be (policy (update R E)) 4 Interrupts in OS code | June Andronick

Overview Model of Model of The system The property “running task is highest priority runnable task” theorem � ⊩ i {sched_inv} { ⊤ } echronos_sys { ⊥ } Generic interleaving definition sched_inv ≡� (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ � definition interleaving ... ≡ � schedPolicy (handleEvent E R) = AT A 1 ‖ … ‖ A n ‖ Sched ‖ H 1 ‖ … ‖ H m HW API definition ITake (X) ≡ ... � ∼ 3, 000 subgoals definition IRet (X) ≡ ... eChronos instantiation definition echronos-sys ≡ � interleaving … … … done 5 Interrupts in OS code | June Andronick

Interleaving 1 task A task B sched handler 1 handler 2 4 application code is 1 ↯ interruptible and 2 ↯ handlers are preemptible interruptible (not preemptible) 2 OS code is interruptible but Our model covers all not preemptible 1 ↯ these interleavings 3 1 ↯ scheduler code is interruptible but not preemptible 6 Interrupts in OS code | June Andronick

Interleaving: model sched task A task B handler 1 handler 2 handler 3 || code_B code_A code_sch || code_H 1 code_H 2 code_H 3 || || || Concurrency only happens here We first allow full concurrency and then we restrict it! Owicki-Gries We “await-paint” 7 Interrupts in OS code | June Andronick

Owicki-Gries What: Extension of Hoare logic to shared-variable parallel programs (Suzanne Owicki and David Gries,1976) (Leonor Prensa Nieto,2002) Hoare logic: c ≡ x := v � | c 1 ; c 2 � VCG {P} c {Q} | IF b THEN c 1 ELSE c 2 FI � | WHILE b DO c OD | cobegin c 1 || c 2 || ... || c n coend � OG: | AWAIT b THEN c END {P} c 1 ;{P 2 } {P} c 1 ; � {P’} c 1 ’; {P 2 } � c 2 ; � {P 2 ’}c 2 ’; � || {P 2 }c 2 ;{P 3 } {P 3 } c 3 ; � {P 3 ’}c 3 ’; � {P 3 }c 3 ;{Q} {Q} {Q’} 8 Interrupts in OS code | June Andronick

Owicki-Gries What: Extension of Hoare logic to shared-variable parallel programs (Suzanne Owicki and David Gries,1976) Hoare logic: c ≡ x := v � | c 1 ; c 2 � VCG {P} c {Q} | IF b THEN c 1 ELSE c 2 FI � | WHILE b DO c OD | cobegin c 1 || c 2 || ... || c n coend � OG: VCG | AWAIT b THEN c END ‣ local correctness prove each {a i } c i {a i+1 } ‣ interference freedom for each assertion a in P, and each command c’ in P’, prove that {a ∧ a’} c’ {a} 9 Interrupts in OS code | June Andronick

Owicki-Gries What: Extension of Hoare logic to shared-variable parallel programs (Suzanne Owicki and David Gries,1976) Hoare logic: c ≡ x := v � | c 1 ; c 2 � VCG {P} c {Q} | IF b THEN c 1 ELSE c 2 FI � | WHILE b DO c OD | cobegin c 1 || c 2 || ... || c n coend � OG: VCG | AWAIT b THEN c END ! requires fully annotated program ! quadratic explosion of verification conditions ! not compositional 10 Interrupts in OS code | June Andronick

Interleaving: model sched task A task B handler 1 handler 2 handler 3 || code_B code_A code_sch || code_H 1 code_H 2 code_H 3 || || || Concurrency only happens here We first allow full concurrency and then we restrict it! Owicki-Gries We “await-paint” 11 Interrupts in OS code | June Andronick

Await Painting task A task B ➡ We introduce: Variable AT (Active Task) ➡ We “AWAIT-paint” almost all statements: || code_B code_A ➡ Interleaving is controlled by hardware operations: taking interrupts, return-from-interrupt, context switch � AT:=task_id; AWAIT AT=B THEN {R 1 }b 1 ; � AWAIT AT=A THEN {P 1 }a 1 ; � || AWAIT AT=B THEN {R 2 }b 2 ; � AWAIT AT=A THEN {P 2 }a 2 ; � AWAIT AT=B THEN {R 3 }b 3 ; AWAIT AT=A THEN {P 3 }a 3 ; || await_paint B code_B; await_paint A code_A; SCHEME [0 ≤ i<n] � WHILE True DO � await_paint A i code_A i END 12 Interrupts in OS code | June Andronick

Interleaving: model sched task A 1 ... task A n handler H 1 ... handler H m code_A n code_A 1 || code_sch || code_H 1 code_H m ... || || || ... || SCHEME [0 ≤ i<n] � SCHEME [0 ≤ j<m] � WHILE True DO � WHILE True DO � await_paint A i code_A i ITake (H j ) � END await_paint H j code_H j � await_paint H j IRet () END WHILE True DO � ITakeSched () � await_paint sched code_sch � await_paint sched IRet () END 13 Interrupts in OS code | June Andronick

Model variables Full model AT , EI, ATStack Generic interrupt-induced interleaving definition interleaving code_A i code_sch code_H j ≡ SCHEME [0 ≤ j<m] � WHILE True DO � WHILE True DO � SCHEME [0 ≤ i<n] � ITake (H j ) � ITakeSched () � WHILE True DO � || await_paint H j code_H j � await_paint sched code_sch � await_paint A i code_A i || await_paint H j IRet () await_paint sched IRet () END END END HW API definition ITake (X) ≡ ... � definition Int-Disable (X) ≡ EI:= EI - X � definition Int-Enable (X) ≡ EI:= EI ∪ X definition IRet (X) ≡ ... � definition ITakeSched () ≡ ... Intuitively: ITake H j ≡ AT:=Hj More precisely: ITake H j ≡ � AWAIT Hj ∈ EI-ATStack � ⋀ Hj ∈ interrupt-policy (AT) � THEN ATStack:=AT#ATStack; AT:=Hj END 14 Interrupts in OS code | June Andronick

Model variables Full model AT , EI, ATStack Generic interrupt-induced interleaving definition interleaving code_A i code_sch code_H j ≡ SCHEME [0 ≤ j<m] � WHILE True DO � WHILE True DO � SCHEME [0 ≤ i<n] � ITake (H j ) � ITakeSched () � WHILE True DO � || await_paint H j code_H j � await_paint sched code_sch � await_paint A i code_A i || await_paint H j IRet () await_paint sched IRet () END END END HW API definition ITake (X) ≡ ... � definition Int-Disable (X) ≡ EI:= EI - X � definition Int-Enable (X) ≡ EI:= EI ∪ X definition IRet (X) ≡ ... � definition ITakeSched () ≡ ... eChronos instantiation (~200 lines of parallel program) definition echronos-sys ≡ interleaving echr_A i echr_sch echr_H j echr_A i ⋍ echr_sch ⋍ echr_H j ⋍ internal-stuff E:=... � ⊔ R:= handleEvent R E � schedReq � Int-Disable(sched) � next:= schedPolicy R � rfi OS function call � switch next Int—Enable(sched) 15 Interrupts in OS code | June Andronick

Overview Model of Model of The system The property “running task is highest priority runnable task” theorem � ⊩ i {sched_inv} { ⊤ } echronos_sys { ⊥ } Generic interleaving definition sched_inv ≡� (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ � definition interleaving ... ≡ � schedPolicy (handleEvent E R) = AT A 1 ‖ … ‖ A n ‖ Sched ‖ H 1 ‖ … ‖ H m HW API definition ITake (X) ≡ ... � ∼ 3, 000 subgoals definition IRet (X) ≡ ... eChronos instantiation definition echronos-sys ≡ � interleaving … … … done 16 Interrupts in OS code | June Andronick

eChronos scheduling correctness task A “the running task is the highest-priority runnable task” English: 1 ↯ theorem ⊩ i {sched_inv} { ⊤ } echronos_sys { ⊥ } Formally: Where: definition sched_inv ≡ � 1 ↯ (AT ∈ User_tasks ⋀ sched ∈ EI) ⟹ � schedPolicy (handleEvent E R) = AT 17 Interrupts in OS code | June Andronick

Proof framework (Leonor Prensa ⊩ p c q OG gives us derivation rules: Nieto,2002) ⊩ i I p c q But here it needs an invariant : We add support for assumed invariants: I’ ⊩ i I p c q We add support for proving invariants compositionally : 18 Interrupts in OS code | June Andronick