Improving Interrupt Response Time in a Verifiable Protected...
Transcript of Improving Interrupt Response Time in a Verifiable Protected...
![Page 1: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/1.jpg)
Improving Interrupt Response Time in a Verifiable Protected MicrokernelBlackham, Bernard and Shi, Yao and Heiser, GernotEuroSys ‘12
James Marshall, GW-SSL Fall 2013
![Page 2: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/2.jpg)
ResourcesBlackham, Bernard, Yao Shi, and Gernot Heiser. "Improving interrupt response time in a verifiable protected microkernel." Proceedings of the 7th ACM european conference on Computer Systems. ACM, 2012.Elphinstone, Kevin, and Gernot Heiser. "From L3 to seL4 What Have We Learnt in 20 Years of L4 Microkernels?."Mehnert, Frank, Michael Hohmuth, and Hermann Hartig. "Cost and benefit of separate address spaces in real-time operating systems." Real-Time Systems Symposium, 2002. RTSS 2002. 23rd IEEE. IEEE, 2002.Blackham, Bernard, et al. "Timing analysis of a protected operating system kernel." Real-Time Systems Symposium (RTSS), 2011 IEEE 32nd. IEEE, 2011.Blackham, Bernard, Vernon Tang, and Gernot Heiser. "To preempt or not to preempt, that is the question." Proceedings of the Asia-Pacific Workshop on Systems. ACM, 2012.Klein, Gerwin, et al. "seL4: Formal verification of an OS kernel." Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 2009.
![Page 3: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/3.jpg)
DomainHard Real-Time
Worst Case Execution Time
Growing more complexMixed-criticality systems
![Page 4: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/4.jpg)
Current Real-Time OSesFocus on lowest possible WCET
Small, simple RT kernels
Mixed-criticality dealt with like RTLinux
![Page 5: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/5.jpg)
History80’s - L3 by Jochen Liedtke90’s - L4: fast IPC, microkernels workMany variants00’s - commercial success
![Page 6: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/6.jpg)
seL4Redesigned L4 to be verifiedWCET analysis* Improvements for WCET of interrupts
![Page 7: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/7.jpg)
Verification (How)
![Page 8: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/8.jpg)
Verification (What)Functional Correctness: The implementation the abstract specification of the kernel.Implications:
No buffer overflowsWell-formed data structuresNo non-terminationmany more...
Assumptions: C-compiler, assembly, hardware, and kernel initialization.
![Page 9: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/9.jpg)
DrawbackConcurrency is the Verification Killer- Non-Preemptive kernel- Event based kernelVerification is very expensive- Changes are hard to make
![Page 10: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/10.jpg)
First WCET
Microseconds; too slowapprox. 800 Mhz system
![Page 11: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/11.jpg)
Lazy SchedulingOptimization for better average case executionWCET is king now.
![Page 12: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/12.jpg)
Open vs. Closed systemsWhat are the slow system calls?
Kernel object creation and deletionExample: deleting an IPC port.
How do we speed them up?Original solution: Don’t do it.
![Page 13: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/13.jpg)
Data Structure ManipulationAllow preemption pointsProgress must be made between points
![Page 14: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/14.jpg)
Preemption PointKernel checkpoints progressChecks for interruptsResumes system call
![Page 15: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/15.jpg)
WCETDifficult to computeObservations can not be trusted
![Page 16: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/16.jpg)
WCET ProblemsCache policiesLoopsExecution paths
![Page 17: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/17.jpg)
2nd WCET Results
Approx. 500 Mhz systemWith better WCET analysis:
~300 microsecond computed WCETMuch closer to observed
![Page 18: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/18.jpg)
SignificanceVerified micro-kernelSupports address spacesProtected-mode kernel
Still manages sub-millisecond worst case interrupt execution time
![Page 19: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/19.jpg)
Future WorkRe-verificationA few more optimizations
IPC send-receivecapability policy
![Page 20: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/20.jpg)
That’s all folks!
![Page 21: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/21.jpg)
L4RTLShows that RT Tasks can be run in user space along side of normal Linux applications (provides separate address spaces).The performance hit is there, but not that bad.
RTLinux keeps the RT Tasks in the kernel space.
![Page 22: Improving Interrupt Response Time in a Verifiable Protected …home.gwu.edu/~jcmarsh/wiki/uploads/Research/seL4.pdf · 2016. 2. 21. · Elphinstone, Kevin, and Gernot Heiser. "From](https://reader035.fdocuments.in/reader035/viewer/2022071409/610161645a3616361f63fda1/html5/thumbnails/22.jpg)
Stack BlockingseL4 is even-based
means single stack (unlike thread based. a stack for every process, easy to preempt, just swap stacks).
Can not preempt, because the stack is shared. Stack blocking occurs if a process1 holds an exclusive object, and process2 preempts it. Process2 takes the top of the stack, effectively blocking process1 from running.
There are solutions, but this would force a policy on seL4.