t n t * c omplet s t e e s i n e o a prosa: a case for ...bbb/papers/talks/ecrts16f.pdf · prosa: a...
TRANSCRIPT
![Page 1: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/1.jpg)
Prosa: A Case for Readable Mechanized Schedulability Analysis
Felipe Cerqueira, Felix Stutz, Björn B. Brandenburg
1
Co
nsi
st
ent * Complete * W
ell Do
cum
ented * Easy to R
euse
*
* Evaluated *
EC
RTS *
Artifact * A
E
![Page 2: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/2.jpg)
Prosa
Open-source foundation for formallyproven schedulability analysis
Readable Formal Specification
Jobs
Response time
Multiprocessor
…
MechanizedProofs
Response-time Bounds
…
SchedulabilityTests
2
![Page 3: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/3.jpg)
This Talk
3
![Page 4: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/4.jpg)
This Talk
4
Mechanized proofs provide an opportunity to avoid the correctness pitfalls in real-time scheduling.
![Page 5: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/5.jpg)
This Talk
5
Mechanized proofs provide an opportunity to avoid the correctness pitfalls in real-time scheduling.
By focusing on readability and by maintaining the established proof culture, mechanized proofs
can reach the community at large.
![Page 6: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/6.jpg)
This Talk
6
By focusing on readability and by maintaining the established proof culture, mechanized proofs
can reach the community at large.
Mechanized proofs provide an opportunity to avoid the correctness pitfalls in real-time scheduling.
Thanks to mature proof assistants and libraries, Prosa allows mechanizing recent and complex
schedulability analyses in reasonable time.
![Page 7: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/7.jpg)
Outline of the Talk
7
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 8: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/8.jpg)
Outline of the Talk
8
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 9: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/9.jpg)
What do we mean by mechanized?
9
![Page 10: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/10.jpg)
RTS theory has been builtwith pen-and-paper proofs
10
![Page 11: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/11.jpg)
RTS theory has been builtwith pen-and-paper proofs
11
Pen-and-paperproofs
Semi-formal specification
Abstract view of the system
Schedulability analysis
X eiTi
1
![Page 12: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/12.jpg)
What is mechanizedschedulability analysis?
Pen-and-paperproofs
Semi-formal specification
Abstract view of the system
Schedulability analysis
X eiTi
1
12
What is the difference?
![Page 13: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/13.jpg)
What is mechanizedschedulability analysis?
13
Pen-and-paperproofs
Abstract view of the system
Schedulability analysis
X eiTi
1
Formal specification
We switch to a formal specification
![Page 14: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/14.jpg)
What is mechanizedschedulability analysis?
Abstract view of the system
Schedulability analysis
X eiTi
1
14
Formal specification
We prove theoremsusing a proof assistant
Mechanizedproofs
![Page 15: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/15.jpg)
What is mechanizedschedulability analysis?
Abstract view of the system
15
Formal specification The resulting
schedulability analysisis formally verified
Mechanizedproofs
MechanizedSchedulability
analysis
![Page 16: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/16.jpg)
Why mechanized proofs?
16
![Page 17: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/17.jpg)
Why mechanized proofs?
17
Guaranteed Correctness
Trustworthy Extensions
Safe Composition
![Page 18: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/18.jpg)
55 73 86 95 98 year
model complexity (realism)
90
single job
EDD
EDL EDF
RM EDF
periodic
RTA PDC
Exact Analysis
SRP
PIP PCP Resource
sharing
2000 07 11 04 14
DAGs%Digraf%
BROE%BWI% SIRAP%
Overrun%Elas8c%
Skip%Imprecise%flexible
CBS PS
DS SS TBS Slack
Stealer
Resource Reservation
DPM DVFS
Some major achievements
15"
RTS have become more complex
Source: G. Buttazzo (Keynote @ RTSS’14) 18
![Page 19: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/19.jpg)
55 73 86 95 98 year
model complexity (realism)
90
single job
EDD
EDL EDF
RM EDF
periodic
RTA PDC
Exact Analysis
SRP
PIP PCP Resource
sharing
2000 07 11 04 14
DAGs%Digraf%
BROE%BWI% SIRAP%
Overrun%Elas8c%
Skip%Imprecise%flexible
CBS PS
DS SS TBS Slack
Stealer
Resource Reservation
DPM DVFS
Some major achievements
15"
RTS have become more complex
Source: G. Buttazzo (Keynote @ RTSS’14)
We need complex models to support real-world
requirements
19
![Page 20: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/20.jpg)
This complexity comes with a price
The original analysis for CAN had a bug that remained
undetected from 1994 to 2006 [1].
[1] Davis, R. I., Burns, A., Bril, R. J., & Lukkien, J. J. “Controller Area Network (CAN) schedulability analysis: Refuted, revisited and revised.” Real-Time Systems, 35(3), 239-272, 2007. 20 20
![Page 21: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/21.jpg)
our paper
Proofs have become so complicated that they often contain bugs.
Bugs are no longer an exception
21
![Page 22: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/22.jpg)
Analysis for safety-critical systems?
22
How to ensure that schedulability analysis is actually correct?
![Page 23: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/23.jpg)
Analysis for safety-critical systems?
How to ensure that schedulability analysis is actually correct?
Mechanizedproofs
Opportunity: correctness is inherently guaranteed.23
![Page 24: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/24.jpg)
Why mechanized proofs?
24
Trustworthy Extensions
Safe Composition
Guaranteed Correctness
![Page 25: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/25.jpg)
Analyses sometimes need refining
In most analyses, practical detailsare assumed to be negligible.
Basic Analysis
25
![Page 26: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/26.jpg)
Analyses sometimes need refining
Overhead Accounting
Blocking Analysis
Task Dependence
But when deploying actual systems,we might need to refine the analysis.
Basic Analysis
26
![Page 27: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/27.jpg)
Analyses sometimes need refining
Overhead Accounting
Blocking Analysis
Task Dependence
But when deploying actual systems,we might need to refine the analysis.
Basic Analysis
27
We call these extensions(i.e., same results + tweaks)
neighboring proofs.}
![Page 28: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/28.jpg)
Example: incorporating release jitter
Ri = Ji + ei + ri
ri ei +X
⌧j2hpi
⇠ri + JjTj
⇡ejRi ei +
X
⌧j2hpi
⇠Ri
Tj
⇡ej
Basic RTA RTA with Jitter
Uniprocessor
Multiprocessor ???
Ri = Ji + ei + ri
ri ei +X
⌧j2hpi
⇠ri + JjTj
⇡ejRi ei +
X
⌧j2hpi
⇠Ri
Tj
⇡ej
Ri ei +X
⌧j2hpi
⇠Ij(Ri)
Tj
⇡ej
It has been known for more than 20 years how to incorporate release jitter into uniprocessor RTA [3].
[3] Audsley, N., Burns A., Richardson, M., Tindell, K., and Wellings, A. “Applying new scheduling theory to static priority pre-emptive scheduling,” Software Engineering Journal, vol. 8, no. 5, pp. 284-292, 1993. 28
![Page 29: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/29.jpg)
Example: incorporating release jitter
Basic RTA RTA with Jitter
Uniprocessor
Multiprocessor ???
Ri = Ji + ei + ri
ri ei +X
⌧j2hpi
⇠ri + JjTj
⇡ejRi ei +
X
⌧j2hpi
⇠Ri
Tj
⇡ej
But this result has not been proven for multiprocessor RTA.
29
Ri ei +1
m·X
⌧j2hpi
�Ij(Ri)
Tj
⌫rj
![Page 30: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/30.jpg)
Can we do the same for multiprocessors?
Basic RTA RTA with Jitter
Uniprocessor
Multiprocessor ???
Ri = Ji + ei + ri
ri ei +X
⌧j2hpi
⇠ri + JjTj
⇡ejRi ei +
X
⌧j2hpi
⇠Ri
Tj
⇡ej
Just sum up the max jitter?
30
Ri ei +1
m·X
⌧j2hpi
�Ij(Ri)
Tj
⌫rj
![Page 31: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/31.jpg)
The answer is that we don’t know
Different system models have different assumptions.What if changing the model breaks some existing proof?
31
![Page 32: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/32.jpg)
Recent case: self-suspending tasks
Misuse of release jitter in the analysis caused bugs in 12 papers related to self-suspensions!
[1] J.-J. Chen, G. Nelissen, W.-H. Huang, M. Yang, B. Brandenburg, K. Bletsas, C. Liu, P. Richard, F. Ridouard, N. Audsley, R. Rajkumar, and D. de Niz, “Many suspensions, many problems: A review of self-suspending tasks in real-time systems,” Department of Computer Science, TU Dortmund, Tech. Rep. 854, 2016
Excerpt from [1]:
32
![Page 33: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/33.jpg)
How to derive safe extensions?
33
![Page 34: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/34.jpg)
How to derive safe extensions?
34
If there is a bug,it will always be detected.we know exactly what to fix.
We just need to refine the analysis and let the proof assistant recheck the proofs.
{
Mechanizedproofs
Opportunity: neighboring proofs are conducted systematically.
![Page 35: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/35.jpg)
Why mechanized proofs?
35
Trustworthy Extensions
Safe Composition
Guaranteed Correctness
![Page 36: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/36.jpg)
incompatible!compatible
Sometimes we have to combine different analyses
Even if each analysis is individually correct,they should not be combined if assumptions mismatch.
Example:
Suspension-oblivious schedulability analysis
Suspension-aware schedulability analysis
Suspension-aware blocking bound
Suspension-oblivious blocking bound
36
![Page 37: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/37.jpg)
How to avoid mismatching assumptions?
37
![Page 38: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/38.jpg)
How to avoid mismatching assumptions?
We just need to avoid stating contradictory assumptions.But this can also be mechanically verified!
38
Mechanizedproofs
Opportunity: mismatching assumptionsare automatically caught by the proof assistant.
![Page 39: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/39.jpg)
39
Trustworthy Extensions
Safe Composition
Guaranteed Correctness
Mechanized proofs provide an opportunity to avoid the correctness pitfalls in real-time scheduling.
No more correctness pitfalls
![Page 40: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/40.jpg)
Outline of the Talk
40
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 41: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/41.jpg)
Outline of the Talk
41
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 42: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/42.jpg)
Verification has many challenges
42
![Page 43: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/43.jpg)
Verification has many challenges
43
“Formal specifications are complex and full of symbols.”
![Page 44: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/44.jpg)
Verification has many challenges
44
“It might take many decades to verify all we know about real-time scheduling.”
“Formal specifications are complex and full of symbols.”
![Page 45: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/45.jpg)
Verification has many challenges
45
“Knowledge about formal methods tends to be restricted to few research groups.”
“Formal specifications are complex and full of symbols.”
“It might take many decades to verify all we know about real-time scheduling.”
![Page 46: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/46.jpg)
Verification has many challenges
46
But there’s an opportunity to change…
“Formal specifications are complex and full of symbols.”
“It might take many decades to verify all we know about real-time scheduling.”
“Knowledge about formal methods tends to be restricted to few research groups.”
![Page 47: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/47.jpg)
Principles & Goals of Prosa
1. Readability is crucial
2. Some proofs are more important than others
3. We should maintain the proof culture
4. Community involvement
47
![Page 48: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/48.jpg)
Principle 1: Readability is crucial
The specification should be accessible to researchers with no previous experience with formal methods.
48
![Page 49: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/49.jpg)
Many lemmas, short proofs (few dozen lines)
Principle 1: Readability is crucial
We favor:
Long, verbose names and few cryptic symbols
Heavy use of documentation
The specification should be accessible to researchers with no previous experience with formal methods.
49
![Page 50: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/50.jpg)
Complex notation harms readability
Prosa
Duration Calculus [Yuhua and Chaochen, 1994]
50
![Page 51: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/51.jpg)
Complex notation harms readability
Prosa
51
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t ! ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Duration Calculus [Yuhua and Chaochen, 1994]
![Page 52: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/52.jpg)
Long names and few symbols
52
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
![Page 53: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/53.jpg)
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Long names and few symbols
A scheduler is work-conserving i↵...
53
![Page 54: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/54.jpg)
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Long names and few symbols
A scheduler is work-conserving i↵...
...for every job j and time t...
54
![Page 55: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/55.jpg)
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Long names and few symbols
A scheduler is work-conserving i↵...
...for every job j and time t...
...if job j is backlogged at time t, ...
55
![Page 56: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/56.jpg)
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Long names and few symbols
A scheduler is work-conserving i↵...
...for every job j and time t...
...if job j is backlogged at time t, ...
...then every processor cpu has a job j other...
56
![Page 57: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/57.jpg)
(* A scheduler is work-conserving iff all processors are busy (non-idle) whenever a job is backlogged. *) Definition work_conserving := ∀ j ∀ t, backlogged job_cost sched j t → ∀ cpu, ∃ j_other, scheduled_on sched j_other cpu t.
Long names and few symbols
A scheduler is work-conserving i↵...
...for every job j and time t...
...that is scheduled on cpu at time t.
...if job j is backlogged at time t, ...
...then every processor cpu has a job j other...
57
![Page 58: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/58.jpg)
Principle 2: Some proofs are more important than others
To make progress, we should focus on practical results.
58
![Page 59: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/59.jpg)
Principle 2: Some proofs are more important than others
To make progress, we should focus on practical results.
We should formalize recent analyses andmove towards multiprocessor scheduling.
Critical results should be proven first.E.g., proving analysis safety is more importantthan termination, time complexity or optimality.
59
![Page 60: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/60.jpg)
Principle 3: Maintain the proof culture
To ensure accessibility, we should reuse the established proof style of the real-time systems community.
60
![Page 61: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/61.jpg)
Principle 3: Maintain the proof culture
To ensure accessibility, we should reuse the established proof style of the real-time systems community.
We avoid complex logics (e.g., temporal operators)and advanced constructs from the proof assistant
(e.g., records, canonical structures, etc.).
We favor instead first-order logic, lists,functions, basic arithmetic.
61
![Page 62: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/62.jpg)
Unusual notation discourages adoption
EDF Optimality in PPTL [Zhang, 2014]
62
Prosa — Definition of Instantaneous Service
Definition service_at (t: time) := \sum_(cpu < num_cpus | scheduled_on j cpu t) 1.
![Page 63: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/63.jpg)
63
Definition service_at (t: time) := \sum_(cpu < num_cpus | scheduled_on j cpu t) 1.
Instantaneous Service
LaTeX-like operators improve readability
![Page 64: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/64.jpg)
64
Definition service_at (t: time) := \sum_(cpu < num_cpus | scheduled_on j cpu t) 1.
Sum over each processor...
Instantaneous Service
LaTeX-like operators improve readability
![Page 65: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/65.jpg)
LaTeX-like operators improve readability
65
Definition service_at (t: time) := \sum_(cpu < num_cpus | scheduled_on j cpu t) 1.
Sum over each processor...
...where job j is scheduled...
Instantaneous Service
![Page 66: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/66.jpg)
66
Definition service_at (t: time) := \sum_(cpu < num_cpus | scheduled_on j cpu t) 1.
Sum over each processor...
...where job j is scheduled...
...of 1 (i.e., a count).
Instantaneous Service
LaTeX-like operators improve readability
![Page 67: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/67.jpg)
Principle 4: Community involvement
Vision: shared repository of real-time scheduling concepts and proofs.
67
![Page 68: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/68.jpg)
Principle 4: Community involvement
Vision: shared repository of real-time scheduling concepts and proofs.
We encourage participation by the community:
Specificationaccepted by the
communityMechanized
ProofsNon-disputable
Results+ =
68
Check out our website:prosa.mpi-sws.org
![Page 69: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/69.jpg)
Mechanized proofs can reach the community at large
1. Readability is crucial2. Some proofs are more important than others3. We should maintain the proof culture4. Community involvement
69
By focusing on readability and by maintaining the established proof culture, mechanized proofs
can reach the community at large.
![Page 70: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/70.jpg)
Outline of the Talk
70
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 71: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/71.jpg)
Outline of the Talk
71
Why mechanized proofs?
Challenges & Principles
A Taste of Prosa
![Page 72: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/72.jpg)
Prosa is a collection of definitions, assumptions and theorems
72
AssumptionsTheorems
Definitions
![Page 73: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/73.jpg)
Prosa covers many concepts from real-time scheduling
73
AssumptionsTheorems
DefinitionsLibrary schedule: instantaneous service,
cumulative service,job is pending, job is complete…
Library interference: total interference, per-task interference…
Library platform: work conservation, priority enforcement…
![Page 74: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/74.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
74
Assumptions
Theorems
Definitions
[…]
![Page 75: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/75.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
75
Assumptions
Theorems
Definitions
![Page 76: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/76.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
76
Assumptions
Theorems
Definitions
given actual job execution costs, ...
In any given schedule and for any
![Page 77: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/77.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
77
Assumptions
Theorems
Definitions
...jobs do not execute after completion.
Definition completed_jobs_dont_execute := ∀ j ∀ t, service sched j t ≤ job_cost j.
given actual job execution costs, ...
In any given schedule and for any
![Page 78: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/78.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
78
Assumptions
Theorems
Definitions
Definition completed_jobs_dont_execute := ∀ j ∀ t, service sched j t ≤ job_cost j.
![Page 79: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/79.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
79
Assumptions
Theorems
Definitions
Definition completed_jobs_dont_execute := ∀ j ∀ t, service sched j t ≤ job_cost j.
For every job j at any time t,
![Page 80: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/80.jpg)
Assumptions can be easily checked (~10–15 in each analysis)
80
Assumptions
Theorems
Definitions
Definition completed_jobs_dont_execute := ∀ j ∀ t, service sched j t ≤ job_cost j.
For every job j at any time t,
...the service received by j is no larger than its cost.
![Page 81: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/81.jpg)
Theorems are proven in small steps using lemmas
81
AssumptionsTheorems
Definitions
Theorem workload_bounded_by_W : workload_of tsk t1 (t1 + delta) ≤ workload_bound.
![Page 82: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/82.jpg)
Theorems are proven in small steps using lemmas
82
AssumptionsTheorems
Definitions
Theorem workload_bounded_by_W : workload_of tsk t1 (t1 + delta) ≤ workload_bound.
We upper-bound the workload of a task...
![Page 83: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/83.jpg)
Theorems are proven in small steps using lemmas
83
AssumptionsTheorems
Definitions
Theorem workload_bounded_by_W : workload_of tsk t1 (t1 + delta) ≤ workload_bound.
Lemma workload_bound_many_periods_in_between : job_arrival j_lst - job_arrival j_fst t ≥ num_mid_jobs.+1 × (task_period tsk).
We upper-bound the workload of a task...
its first and last jobs in the interval.
...based on the minimum distance between
![Page 84: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/84.jpg)
Prosa covers many conceptsand is well-documented
SporadicTasks
Job priorities
Job arrivalconstraints
Responsetime bounds
Interference
Deadlinemisses
Parallelism
84
Specification Proofs CommentsLines 6661 17104 3442
1 comment for every 2 lines of spec!
Definition/Let Lemma/TheoremTotal 714 699
We use short, easy-to-understand definitions.
![Page 85: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/85.jpg)
What we have proven so far
• Basic Model
• Workload-based interference bounds for work-conserving schedulers (~600 LOC) and EDF schedulers (~890 LOC)
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling (~1050 LOC)
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling (~1320 LOC)
• Implementation of a work-conserving scheduler to test for contradictory assumptions (~560 LOC)
• Extensions
➡ Same definitions and proofs for workloads with release jitter (~5620 LOC)
➡ Same definitions and proofs for workloads with parallel jobs (~3030 LOC)
(in ~8 person months)
85
![Page 86: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/86.jpg)
What we have proven so far
• Sporadic Task Model
• Workload-based interference bounds for work-conserving and EDF schedulers
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling
• Implementation of a work-conserving scheduler to test for contradictory assumptions
• Extensions
➡ Same definitions and proofs for workloads with release jitter
➡ Same definitions and proofs for workloads with parallel jobs
(in ~8 person months)
86
![Page 87: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/87.jpg)
What we have proven so far
• Sporadic Task Model
• Workload-based interference bounds for work-conserving and EDF schedulers
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling
• Implementation of a work-conserving scheduler to test for contradictory assumptions
• Extensions
➡ Same definitions and proofs for workloads with release jitter
➡ Same definitions and proofs for workloads with parallel jobs
(in ~8 person months)
87
![Page 88: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/88.jpg)
What we have proven so far
• Sporadic Task Model
• Workload-based interference bounds for work-conserving and EDF schedulers
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling
• Implementation of a work-conserving scheduler to test for contradictory assumptions
• Extensions
➡ Same definitions and proofs for workloads with release jitter
➡ Same definitions and proofs for workloads with parallel jobs
(in ~8 person months)
88
![Page 89: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/89.jpg)
What we have proven so far
• Sporadic Task Model
• Workload-based interference bounds for work-conserving and EDF schedulers
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling
• Implementation of a work-conserving scheduler to test for contradictory assumptions
• Extensions
➡ Same definitions and proofs for workloads with release jitter
➡ Same definitions and proofs for workloads with parallel jobs
(in ~8 person months)
89
} novelresults
![Page 90: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/90.jpg)
What we have proven so far
• Sporadic Task Model
• Workload-based interference bounds for work-conserving and EDF schedulers
• Definition and proofs of correctness and termination of Bertogna and Cirinei’s RTA for FP scheduling
➡ Same for Bertogna and Cirinei’s RTA for EDF scheduling
• Implementation of a work-conserving scheduler to test for contradictory assumptions
• Extensions
➡ Same definitions and proofs for workloads with release jitter
➡ Same definitions and proofs for workloads with parallel jobs
(in ~8 person months)
90
Thanks to mature proof assistants and libraries, Prosa allows mechanizing recent and complex
schedulability analyses in reasonable time.
![Page 91: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/91.jpg)
Future Work1. Correct recently refuted proofs
a) APA schedulingb) Self-suspending tasks
2. Verify practical resultsa) Semi-partitioned scheduling (e.g. C=D)b) Blocking analysisc) Overhead accounting
3. Investigate how to integrate Prosa with analysis tools and scheduler implementations
(done! see prosa.mpi-sws.org/apa)
91
![Page 92: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/92.jpg)
Future Work1. Correct recently refuted proofs
a) APA schedulingb) Self-suspending tasks
2. Verify practical resultsa) Semi-partitioned scheduling (e.g. C=D)b) Blocking analysisc) Overhead accounting
3. Investigate how to integrate Prosa with analysis tools and scheduler implementations
(done! see prosa.mpi-sws.org/apa)
92
![Page 93: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/93.jpg)
Future Work1. Correct recently refuted proofs
a) APA schedulingb) Self-suspending tasks
2. Verify practical resultsa) Semi-partitioned scheduling (e.g. C=D)b) Blocking analysisc) Overhead accounting
3. Investigate how to integrate Prosa with analysis tools and scheduler implementations
(done! see prosa.mpi-sws.org/apa)
93
![Page 94: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/94.jpg)
Future Work1. Correct recently refuted proofs
a) APA schedulingb) Self-suspending tasks
2. Verify practical resultsa) Semi-partitioned scheduling (e.g. C=D)b) Blocking analysisc) Overhead accounting
3. Investigate how to integrate Prosa with analysis tools and scheduler implementations
(done! see prosa.mpi-sws.org/apa)
94
![Page 95: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/95.jpg)
Disclaimer
95
![Page 96: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/96.jpg)
Disclaimer
96
Not every proof has to be formalized.
![Page 97: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/97.jpg)
Disclaimer
97
Not every proof has to be formalized.
Pen-and-paper proofs are still useful.
![Page 98: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/98.jpg)
Disclaimer
98
Not every proof has to be formalized.
Pen-and-paper proofs are still useful.
We aim for readable specifications, but writing formal proofs remains non-trivial.
![Page 99: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/99.jpg)
By focusing on readability and by maintaining the established proof culture, mechanized proofs
can reach the community at large.
Mechanized proofs provide an opportunity to avoid the correctness pitfalls in real-time scheduling.
Thanks to mature proof assistants and libraries, Prosa allows mechanizing recent and complex
schedulability analyses in reasonable time.
More info at prosa.mpi-sws.org
![Page 100: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/100.jpg)
100
![Page 101: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/101.jpg)
Backup slides
101
![Page 102: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/102.jpg)
Generality of discrete time
[2] Bonifaci, V. and Marchetti-Spaccamela, A., “Feasibility analysis of sporadic real-time multiprocessor task systems,” in Proc. of the 18th Annual European Symposium on Algorithms (ESA’10), 2010.
Results about dense time could still be formalized with Coq libraries for real numbers, e.g. Coquelicot.
102
![Page 103: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/103.jpg)
Working with Real Numbers
More info at coquelicot.saclay.inria.fr
Coquelicot:
Formalization of limits, continuity, differentiability,Riemann integrals, series, etc.
A User-Friendly Library of Real Analysis for Coq
103
![Page 104: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/104.jpg)
Library: Probability Theory
104
Moreira, D. Finite Probability Distributions in Coq (2012).
Total/conditional probability, Bayes' theorem,random variables and finite distributions
![Page 105: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/105.jpg)
Related Work
105
![Page 106: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/106.jpg)
Formalisms for schedulability analysis
• Proof of EDF optimality [Yuhua and Chaochen 1994] — improved version [Zhan 2000]
• Schedulability condition of RM [Schuzhen et al. 1999] • Simplified proofs and review [Xu and Zhan 2008]
Based on the Duration Calculus (DC) interval logic
106
![Page 107: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/107.jpg)
Formalisms for schedulability analysis
Based on the Duration Calculus (DC) interval logic
• Proof of EDF optimality [Yuhua and Chaochen 1994] — improved version [Zhan 2000]
• Schedulability condition of RM [Schuzhen et al. 1999] • Simplified proofs and review [Xu and Zhan 2008]
+ Formalism reduces ambiguity
107
![Page 108: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/108.jpg)
Formalisms for schedulability analysis
Based on the Duration Calculus (DC) interval logic
• Proof of EDF optimality [Yuhua and Chaochen 1994] — improved version [Zhan 2000]
• Schedulability condition of RM [Schuzhen et al. 1999] • Simplified proofs and review [Xu and Zhan 2008]
+ Formalism reduces ambiguity- Complex logics and manual proofs- Only uniprocessor scheduling
108
![Page 109: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/109.jpg)
Earlier mechanized proofs• Proof of EDF optimality using Nqthm [Wilding 1998] • Analysis of the Priority Ceiling and Priority Inheritance Protocols
[Zhang et al. 1999] [Dutertre 1999] [Dutertre and Stavridou 2000]
• Schedulability conditions based on task phase using Coq [De Rauglaudre 2012]
• Certified Computations of Network Calculus in Isabelle/HOL [Mabille et al. 2013]
• Implementation and proof of EDF optimality with Propositional Projection Temporal Logic (PPTL) in Coq [Zhang et al. 2014]
109
![Page 110: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/110.jpg)
Earlier mechanized proofs• Proof of EDF optimality using Nqthm [Wilding 1998] • Analysis of the Priority Ceiling and Priority Inheritance Protocols
[Zhang et al. 1999] [Dutertre 1999] [Dutertre and Stavridou 2000]
• Schedulability conditions based on task phase using Coq [De Rauglaudre 2012]
• Certified Computations of Network Calculus in Isabelle/HOL [Mabille et al. 2013]
• Implementation and proof of EDF optimality with Propositional Projection Temporal Logic (PPTL) in Coq [Zhang et al. 2014]
+ Mechanically-checked- No results about multiprocessors
110
![Page 111: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/111.jpg)
Earlier mechanized proofs• Proof of EDF optimality using Nqthm [Wilding 1998] • Analysis of the Priority Ceiling and Priority Inheritance Protocols
[Zhang et al. 1999] [Dutertre 1999] [Dutertre and Stavridou 2000]
• Schedulability conditions based on task phase using Coq [De Rauglaudre 2012]
• Certified Computations of Network Calculus in Isabelle/HOL [Mabille et al. 2013]
• Implementation and proof of EDF optimality with Propositional Projection Temporal Logic (PPTL) in Coq [Zhang et al. 2014]
+ Mechanically-checked- No results about multiprocessors
111- Not widely adopted by our community
![Page 112: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/112.jpg)
Model checking and timed automata• Analysis of uniprocessor FP scheduling using UPPAAL
[Fersman at al. 2006]
• Analysis of multiprocessor FP and EDF scheduling of periodic tasks using UPPAAL and NuSMV[Guan et al. 2007] [Guan et al. 2008] [Cordovilla et al. 2011]
• Analysis of sporadic tasks based on state exploration and automata reachability [Baker and Cirinei 2007] [Geeraerts et al. 2012] [Burmyakov et al. 2015] [Sun and Lipari 2015]
112
![Page 113: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/113.jpg)
Model checking and timed automata
+ Multiprocessor, exact schedulability analysis
• Analysis of uniprocessor FP scheduling using UPPAAL [Fersman at al. 2006]
• Analysis of multiprocessor FP and EDF scheduling of periodic tasks using UPPAAL and NuSMV[Guan et al. 2007] [Guan et al. 2008] [Cordovilla et al. 2011]
• Analysis of sporadic tasks based on state exploration and automata reachability [Baker and Cirinei 2007] [Geeraerts et al. 2012] [Burmyakov et al. 2015] [Sun and Lipari 2015]
113
![Page 114: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/114.jpg)
Model checking and timed automata
+ Multiprocessor, exact schedulability analysis- State explosion (≤ 10 tasks or 4 processors)
• Analysis of uniprocessor FP scheduling using UPPAAL [Fersman at al. 2006]
• Analysis of multiprocessor FP and EDF scheduling of periodic tasks using UPPAAL and NuSMV[Guan et al. 2007] [Guan et al. 2008] [Cordovilla et al. 2011]
• Analysis of sporadic tasks based on state exploration and automata reachability [Baker and Cirinei 2007] [Geeraerts et al. 2012] [Burmyakov et al. 2015] [Sun and Lipari 2015]
114
![Page 115: t n t * C omplet s t e e s i n e o a Prosa: A Case for ...bbb/papers/talks/ecrts16f.pdf · Prosa: A Case for Readable Mechanized Schedulability Analysis ... DVFS DPM Some major](https://reader031.vdocuments.us/reader031/viewer/2022030707/5af4b8377f8b9ae9488c796d/html5/thumbnails/115.jpg)
Avoiding contradictory assumptions
1. Implement a scheduler function S using the proof assistant (take pending jobs, sort by priority, assign to CPUs, …).
2. Prove that scheduler S satisfies every requirement of the analysis (work-conserving, enforces priority, etc.) in an assumption-free context.
3. Since S is an actual algorithm, it is impossible thattwo contradictory assumptions are satisfied by S.
115