Page 1

Page 1

Towards a Schedu

Capturing OS Expertise in an Event Type System:the Bossa Experience

Julia L. LawallDIKU, University of Copenhagen

Joint work with: Gilles Muller

Obasco Group, Ecole des Mines de Nantes/INRIA

http://www.emn.fr/x-info/bossa

Page 2

Page 2

Program issues

Approach: exploit the restricted nature of DSLs to address all of these issues.

Doesnothing wrong

Doessomething

right

Executesefficiently

Page 3

Page 3

Context: OS extensibility

Goals:– Policies for specific applications.– Policies for specific execution contexts.– Eliminate unnecessary functionality for speed /

reduced resource consumption.

Safety is critical

Page 4

Page 4

Approaches to OS extensibility

Berkeley Packet Filter:– interpreted for safety

Exo-kernel– extensions run at the user level

Proof-carrying code– extensions accompanied by a correctness proof

SPIN, OKE:– extensions written in a safe language

Address safety, correctness at best ad hoc.

Page 5

Page 5

A domain-specific approach

Bossa, a DSL for developing CPU schedulers

RTSKernel(Linux)

DSL policy

Compiled policy

Bossa compiler/verifier

kernel expertpolicy developers

Page 6

Page 6

Bossa DSL: policy structure

Declarations– states– process attributes– process priorities

OS interface Programmer interface

Page 7

Page 7

Extract of a scheduling policy

states = { RUNNING running : process;

READY ready : select sorted queue; READY expired : sorted queue; READY yield : process;

BLOCKED blocked : queue;

TERMINATED terminated;}

Page 8

Page 8

Event handlershandler (event e) { … On block.* { running => blocked; }

On unblock.preemptive.* { if (!empty(running) && e.target > running) running => ready; e.target => ready; } …}

Page 9

Page 9

Correctness issues

Is the chosen algorithm appropriate? Is the algorithm implemented faithfully? Does the implementation interact correctly

with the target OS?

This work focuses on the third issue...

Page 10

Page 10

Event handlershandler (event e) { … On block.* { running => blocked; }

On unblock.preemptive.* { if (!empty(running) && e.target > running) running => ready; e.target => ready; } …}

Reasonable behavior, but what does the kernel expect?

Page 11

Page 11

Event types For each event, describe:

– Event notification context.

– Expected handler effect.– block.*: [tgt in RUNNING] [tgt in BLOCKED]

Provided by the OS expert. Goals:

– Document kernel expectations.

– Check that these expectations are satisfied.

– Encapsulate kernel expertise.

– Policy independent.

Page 12

Page 12

Event type examples

block.*:– [tgt in RUNNING] [tgt in BLOCKED]

unblock.preemptive.*:– [tgt in BLOCKED] [tgt in READY]

– [p in RUNNING, tgt in BLOCKED]

[[p, tgt] in READY]

Missing Linux expertise:– unblock.preemptive.* is an interrupt; affects block.*.

– a process can be unblocked before it blocks.

Page 13

Page 13

Corrected types and handlers

block.*:– [tgt in RUNNING] [tgt in BLOCKED]

– [[] = RUNNING, tgt in READY] [tgt in BLOCKED]

On block.* { running => blocked;}

should be:

On block.* { e.target => blocked;}

Page 14

Page 14

Corrected types and handlers

unblock.preemptive.*:– [tgt in BLOCKED] [tgt in READY]

– [p in RUNNING, tgt in BLOCKED] [[p, tgt] in READY]

– [tgt in RUNNING] [tgt in RUNNING]

– [[] in RUNNING, tgt in READY] [tgt in READY]

On unblock.preemptive.* { if (e.target in blocked) { if (!empty(running) && e.target > running) running => ready; e.target => ready; }}

Page 15

Page 15

Event types for safety

bossa.schedule– [[] = RUNNING, q in READY] [q in RUNNING]

On bossa.schedule { if (empty(ready)) { if (empty(expired)) { yield => ready; } else { expired => ready; } } select() => running;}

Page 16

Page 16

Event types for optimization

block.*:– [tgt in RUNNING] [tgt in BLOCKED]

– [[] = RUNNING, tgt in READY] [tgt in BLOCKED]

Specialized event sequences.

if (tgt == running) move_proc_queue(running,blocked);else move_queue_queue(tgt,blocked);

Page 17

Page 17

Assessment

For critical OS services, need more than safety guarantees.

Analyzing the entire kernel with respect to each new policy is both expensive and not so necessary.

Event types guide the developer and permit relevant verifications.

Page 18

Page 18

Current status

Bossa versions of Linux 2.2 and 2.4 kernels. Policies:

– Process schedulers:» Linux, BSD, EDF, Progress-based, Linux O(1)

– Virtual schedulers:» Fixed-priority, proportional share

Automatic kernel instrumentation in progress Low overhead for lat_ctx. No overhead for more

typical applications.

Page 19

Page 19

Future work

Test event type expressiveness:– New OSes:

» BSD, OSes for real-time or embedded systems...

– New policies» multimedia, real-time, energy aware…

Model checking for verifying policies. Model checking for verifying event types.

http://www.emn.fr/x-info/bossa