PROSA: A Case for Readable Mechanized Schedulability Analysis

Cerqueira, Felipe; Stutz, Felix; Brandenburg, Björn B.

doi:10.1109/ecrts.2016.28

Cited by 26 publications

(21 citation statements)

References 58 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the past decades, there have a few attempts at proving methods [13,14] for solving real-time problems. Recently, the Prosa library [11,12] has been proposed to provide formal specifications and mechanized proofs for schedulability analyses using the Coq proof assistant. The motivation behind our general task model for fixed priority scheduling is to add it to the Prosa library and prove the correctness of its RTA.…”

Section: Discussionmentioning

confidence: 99%

A Generalized Digraph Model for Expressing Dependencies

Fradet

Guo

Monin

et al. 2018

Proceedings of the 26th International Conference on Real-Time Networks and Systems

View full text Add to dashboard Cite

In the context of computer assisted verification of schedulability analyses, very expressive task models are useful to factorize the correctness proofs of as many analyses as possible. The digraph task model seems a good candidate due to its powerful expressivity. Alas, its ability to capture dependencies between arrival and execution times of jobs of different tasks is very limited. We propose here a task model that generalizes the digraph model and its corresponding analysis for fixed-priority scheduling with limited preemption. A task may generate several types of jobs, each with its own worst-case execution time, priority, non-preemptable segments and maximum jitter. We present the correctness proof of the analysis in a way amenable to its formalization in the Coq proof assistant.Our objective (still in progress) is to formally certify the analysis for that general model such that the correctness proof of a more specific (standard or novel) analysis boils down to specifying and proving its translation into our model. Furthermore, expressing many different analyses in a common framework paves the way for formal comparisons.

show abstract

Section: Discussionmentioning

confidence: 99%

A Generalized Digraph Model for Expressing Dependencies

Fradet

Guo

Monin

et al. 2018

Proceedings of the 26th International Conference on Real-Time Networks and Systems

View full text Add to dashboard Cite

show abstract

“…We claim that this does not reduce the value of our contribution, since the analyses behind SB [11], SLA [8] and the original XLWX [12] were all backed by theorems and proof sketches, but that did not prevent each of them from being subsequently found to be unsafe. We therefore leave as future work the formalisation of such a proof, as well as the evaluation of proof assistance approaches (as those addressed in [4]) which could prevent such analyses from being shown unsafe. At this point, we only claim is that ours is the tightest analysis that has not been proven optimistic by a counter-example.…”

Section: Discussionmentioning

confidence: 99%

Buffer-aware bounds to multi-point progressive blocking in priority-preemptive NoCs

Indrusiak

Burns

Nikolic

2018

2018 Design, Automation &Amp; Test in Europe Conference &Amp; Exhibition (DATE)

View full text Add to dashboard Cite

Abstract-This paper aims to reduce the pessimism of the analysis of the multi-point progressive blocking (MPB) problem in real-time priority-preemptive wormhole networks-on-chip. It shows that the amount of buffering on each network node can influence the worst-case interference that packets can suffer along their routes, and it proposes a novel analytical model that can quantify such interference as a function of the buffer size. It shows that, perhaps counter-intuitively, smaller buffers can result in lower upper-bounds on interference and thus improved schedulability. Didactic examples and large-scale experiments provide evidence of the strength of the proposed approach.

show abstract

“…The PROSA [Cerqueira et al 2016] project demonstrates readable mechanized proofs of various schedulability analyses written in Coq. It defines an abstract model of real-time tasks and real-time schedulers, and proves that all tasks will complete on time if certain conditions hold.…”

Section: Related Workmentioning

confidence: 99%

Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation

Liu

Rieg

Shao

et al. 2019

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

The reliability and security of safety-critical real-time systems are of utmost importance because the failure of these systems could incur severe consequences (e.g., loss of lives or failure of a mission). Such properties require strong isolation between components and they rely on enforcement mechanisms provided by the underlying operating system (OS) kernel. In addition to spatial isolation which is commonly provided by OS kernels to various extents, it also requires temporal isolation, that is, properties on the schedule of one component (e.g., schedulability) are independent of behaviors of other components. The strict isolation between components relies critically on algorithmic properties of the concrete implementation of the scheduler, such as timely provision of time slots, obliviousness to preemption, etc. However, existing work either only reasons about an abstract model of the scheduler, or proves properties of the scheduler implementation that are not rich enough to establish the isolation between different components. In this paper, we present a novel compositional framework for reasoning about algorithmic properties of the concrete implementation of preemptive schedulers. In particular, we use virtual timeline, a variant of the supply bound function used in real-time scheduling analysis, to specify and reason about the scheduling of each component in isolation. We show that the properties proved on this abstraction carry down to the generated assembly code of the OS kernel. Using this framework, we successfully verify a real-time OS kernel, which extends mCertiKOS, a single-processor non-preemptive kernel, with user-level preemption, a verified timer interrupt handler, and a verified real-time scheduler. We prove that in the absence of microarchitectural-level timing channels, this new kernel enjoys temporal and spatial isolation on top of the functional correctness guarantee. All the proofs are implemented in the Coq proof assistant.

show abstract

PROSA: A Case for Readable Mechanized Schedulability Analysis

Cited by 26 publications

References 58 publications

A Generalized Digraph Model for Expressing Dependencies

A Generalized Digraph Model for Expressing Dependencies

Buffer-aware bounds to multi-point progressive blocking in priority-preemptive NoCs

Virtual timeline: a formal abstraction for verifying preemptive schedulers with temporal isolation

Contact Info

Product

Resources

About