





# Automata-based Formal Analysis and Verification of the Real-Time Linux Kernel

Candidate: Daniel Bristot de Oliveira Supervisors: Rômulo Silva de Oliveira Tommaso Cucinotta





# Real-Time Linux





# "Real-Time" Linux



### Real-Time Linux vs Real-Time theory

#### Experimental vs Analytical

| <pre>/ /dev/cpu_dma</pre>                                                                                                                                                                                                                                                                                          | -01 ~]# cyclictes<br>_latency set to 0<br>loadavg: 14.90 6.                                                                                                                       |                                                                                                                            |                                                                                                                                | 1                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| T:       1       (2725899)         T:       2       (2735900)         T:       3       (2735901)         T:       4       (2735902)         T:       5       (2735903)         T:       6       (2735904)         T:       7       (2735905)         T:       7       (2735905)         T:       8       (2735906) | P:95 I:1000 C:<br>P:95 I:1500 C:<br>P:95 I:2000 C:<br>P:95 I:2500 C:<br>P:95 I:3500 C:<br>P:95 I:3500 C:<br>P:95 I:4000 C:<br>P:95 I:4500 C:<br>P:95 I:5000 C:                    | 66520 Min:<br>44341 Min:<br>33254 Min:<br>26598 Min:<br>22162 Min:<br>18993 Min:<br>16647 Min:<br>14769 Min:<br>13290 Min: | 4 Act:<br>4 Act:                     | 6 Avg:<br>6 Avg:<br>5 Avg:<br>5 Avg:<br>6 Avg:<br>5 Avg:<br>6 Avg:<br>5 Avg:<br>5 Avg: |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
| T. 0 (2735907)                                                                                                                                                                                                                                                                                                     | <pre>P:95 I:5500 C:<br/>P:95 I:6000 C:<br/>P:95 I:6500 C:<br/>P:95 I:7000 C:<br/>P:95 I:7500 C:<br/>P:95 I:8000 C:<br/>P:95 I:8500 C:<br/>P:95 I:8000 C:<br/>P:95 I:9000 C:</pre> | 12036 Min:<br>11072 Min:<br>9488 Min:<br>8854 Min:<br>8200 Min:<br>780I Min:<br>7378 Min:<br>6987 Min:<br>6638 Min:        | 4 Act:<br>8 Act:<br>4 Act:<br>5 Act:<br>5 Act:<br>5 Act:<br>4 Act:<br>5 Act:<br>4 Act:<br>5 Act:<br>5 Act:<br>5 Act:<br>5 Act: |                                                                                        | Max:         24           Max:         14           Max:         14           Max:         19           Max:         20           Max:         20 |







### Real-Time Linux vs Real-Time theory

#### Complex synchronization vs simple models

| •                            |             |               |                  |        |  |
|------------------------------|-------------|---------------|------------------|--------|--|
| Constructed a deal only      |             | uctictest.txt |                  |        |  |
| rootgrealtime-01 -           |             |               |                  |        |  |
| <pre>/dev/cpu_dma_late</pre> |             |               |                  |        |  |
| policy: fifo: loada          | wg: 14.90 6 | .21 3.98 2/38 | 2735923          |        |  |
|                              |             | ccano Min.    | 4 4-+-           |        |  |
| T: 0 (2785898) P:95          |             | 66520 Min:    | 4 Act:           | 5 Avg: |  |
| T: 1 (2735899) P:95          |             | 44341 Min:    | 4 Act:           |        |  |
| T: 2 (2735900) P:95          | 5 I:2000 C: | 33256 Min:    | 4 Act:           | 6 Avg: |  |
| T: 3 (2735901) P:95          | 1:2500 C:   | 26598 Min:    | 4 Act:           |        |  |
| T: 4 (2735902) P:95          | I:3000 C:   | 22162 Min:    | 4 Act:           | 5 Avg: |  |
| T: 5 (2735903) P:95          | T:3500 C:   | 18993 Min:    | 4 Act:           |        |  |
| T: 5 (27359993) F: 9         | T-4000 C.   | 16609 Min:    | 4 Act:           |        |  |
| T: 6 (2735904) P:95          | ) I:4000 C. | 14769 Min:    | 4 Act:           |        |  |
| T3 7 (2735905) P:95          | 5 I:4500 C. | 13290 Min:    | 4 Act:           |        |  |
| T: 8 (2735906) P:95          | 5 I:5000 C: | 12080 Min:    | 4 Act:           |        |  |
| To 0 (2735907) P:95          | 5 I:5500 C: |               | 8 Act:           |        |  |
| T:10 (2735908) P:9           | 5 I:6000 C: | 11002 Min:    | 4 Act:           |        |  |
| T:11 (2735909) P:9           | 5 I:6500 C: | 10219 Min:    | 5 Act:           |        |  |
| LITT INTERPORT               | 5 I:7000 C: | 9488 Min:     | 5 Act:           |        |  |
| LITE (WILMMAN)               | 5 I:7500 C: | 885@ Min:     | 5 Act:           |        |  |
| ICTO CREAMANNES              | 5 I:8000 C: | 8300 Min:     |                  |        |  |
| 二丁醇 人名卡尔布布莱加尔                | 5 1:0000 C: | 780I Min:     |                  |        |  |
| T:15 (2735913) P:9           | 5 I:8500 C: | 7370 Min:     |                  |        |  |
|                              | 5 I:9000 C: | 6983 Min:     |                  |        |  |
| T:17 (2735915) P:9           | 5 I:9500 C: | ccog Min:     | 5 Act:<br>5 Act: |        |  |









# How can we fill the gap between real-time Linux and real-time theory?





# Describing real-time properties of Linux as in theory!





8

# Easier said than done :-)



# Linux is complex

pristot@x1:~/src/git/linux-rt-dirvell-\_vim/lormaticity cpu = smp\_processor\_id(); schedule\_debug(prev, preempt);

\* can't be reordered with \_\_set\_current\_state from all even

- Lots of contexts
- Lots of hacks
- Lots of information
- Fast pacing



Panic!

rebooting...

Introduction



# What does real-time mean?



### Real-time definition



Real-time systems are computing systems where the correct behavior **does not depend only on the logical behavior**, **but also on the timing behavior**.



## Real-time Linux

To remove "" from real-time Linux...

# We need to show that Linux has a correct

logical and timing behavior.





# An informal<sup>2</sup> try

icy Online Library (wileyonlinelibrary.com). DOI: 10.1002/spc.2333

### Timing analysis of the PREEMPT RT Linux kernel

Daniel Bristot de Oliveira<sup>1,2</sup> and Romulo Silva de Oliveira<sup>1,3</sup>

<sup>1</sup>Department of Automation and Systems, Federal University of Santa Catarina, Florianopolis, Breen, <sup>2</sup>Red Hat, Inc., Brazil

#### SUMMARY

In the theory of real-time scheduling, tasks are described by mathematical variables, which are analytical models in order to prove schedulability of the system. On real-time Linux, tasks are programs, and Linux developers try to lower the latencies caused by the Linux kernet, available programs, and Linux developers try to lower the latencies caused by the Linux kernet, available programs, and Linux developers try to lower the latencies caused by the Linux kernet, available programs, and Linux developers try to lower the latencies caused by the Linux kernet, available programs, and Linux developers try to lower the latencies caused by the Linux kernet, available to be available of the highest-priority task. Although both seek temporal correctness, they are Using an informal language, and Informally enrolled in the PhD.

Published at "Software: practice and experience."

Building evidence that I could do the PhD as a partial-time student, and learning.



#### Timing analysis of the PREEMPT RT Linux kernel



Figure 10. Timeline of task pi-839.

The execution time of the system call *read()* was  $191.341 \,\mu$ s, which is much greater than  $5.609 \,\mu$ s, which was its execution time in the absence of blocking, in the previous example.

| 95 pi<br>96 pi<br>97 pi<br>98 pi | -839<br>-839 | [<br>[<br>[ | 9]<br>9]<br>9]<br>9] | [01]<br>[01]<br>[01]<br>[01] | 168.239972371<br>168.239972371<br>168.240005839<br>168.240013714 | >           | <pre>do_notify_resume() {    softirq_raise: vec=8 [action=HRTIMER]    sched_wakeup: comm=ksoftirqd/1 pid=15    prio=98    success=1 target_cpu=001</pre> | /    |
|----------------------------------|--------------|-------------|----------------------|------------------------------|------------------------------------------------------------------|-------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------|
| 99 pi                            |              | [           | 9]<br>91             | [01]                         | 168.240037487<br>168.240037487                                   | + 64.696 us | <pre>} do_notify_resume ()</pre>                                                                                                                         |      |
| 100 pi<br>101 pi                 |              | L           | 91                   | [01]<br>[01]                 | 168.240038795                                                    | <>          |                                                                                                                                                          |      |
|                                  |              | L           |                      |                              |                                                                  | >           | and the case of the second                                           |      |
| 102 pi                           |              | L           | 9]                   | [01]                         | 168.240038795                                                    |             | sys_rt_sigreturn() {                                                                                                                                     |      |
| 103 pi                           | -839         | [           | 9]                   | [01]                         | 168.240045205                                                    | 6.183 us    | } sys_rt_sigreturn ()                                                                                                                                    |      |
| 104 pi                           | -839         | [           | 9]                   | [01]                         | 168.240045205                                                    | <           |                                                                                                                                                          |      |
| 105 pi                           | -839         | [           | 9]                   | [01]                         | 168.240047616                                                    | >           |                                                                                                                                                          |      |
| 106 pi                           | -839         | [           | 91                   | [01]                         | 168.240047616                                                    |             | sys_pause() {                                                                                                                                            |      |
| 107 pi                           |              | Î.          | 91                   | [01]                         | 168.240047925                                                    |             | schedule() {                                                                                                                                             |      |
| 108 pi                           |              | ĺ           | 9]                   | [01]                         | 168.240063374                                                    |             | <pre>sched_switch: prev_comm=pi prev_pid=839 prev_prio=9 prev_state=S ==&gt; next_comm=ksoftirqd/1 next_pid=15 next_prio=98</pre>                        | //// |
|                                  |              |             |                      |                              |                                                                  |             |                                                                                                                                                          |      |

It is the background of the thesis.

It was done before the official PhD enrolment, but... it is part of the PhD, at least inside our **\U**.





### Timing analysis of the PREEMPT RT Linux kernel

Lessons learned



#### Pros

- Good level of abstraction
- Usage of trace and events
- Lightweight
- The timeline format is intuitive

Cons

- Manual interpretation of the data
- The translation from trace to timeline was informal, and so prone to ambiguosity
- Impossible to verify trace ⇔ interpretation



# Getting formal: formal methods

•

•



- A collection of mathematical techniques to rigorously state the specification of a system
- Useful to demonstrate properties of a system
- Remove the ambiguous nature of natural language
- Enable automatic verification of the system

At this point, Daniel started attending to classes about Formal Methods, Discrete Math, Discrete Events Systems, and Formal Verification.



# Getting formal: formal models



A model is an abstraction, removing the unnecessary details, focusing in a specific behavior.

Once a **satisfactory** model is found, it can be used instead of the system.



# Automata a formal language

That looked natural for a kernel developer



Formal definition  $G = \{X, E, F, x_0, X_m\}, \text{ where}$  X is set of states E is the finite set of events  $F : X \times E \to X \text{ is the transion function}$   $x_0 \text{ is the initial state}$   $X_m \subseteq X \text{ is the set of final states}$ 



# Modeling strategy

#### The modular approach



- Instead of modeling the system as a single automaton, the modular approach uses **generators** and **specifications** 
  - Generators:
    - Independent subsystems models
    - Generates all chain of events (without control)
  - Specification:
    - Control/synchronization rules of two or more subsystems
    - Blocks some events
- The parallel composition operation synchronizes the generators and specifications
  - The result is an automaton with all possible chain of events



Thesis



# Goals and contributions



# Goals of this thesis

Three sub-goals

This thesis proposes the creation of **a formal model of the Linux tasks**, including the synchronization primitives that influence their timing behavior.

This model should

enable the formal verification of the logical behavior of the system, as well as the formal analysis of its timing behavior.





# Contributions

#### Three stages

- First stage: the **formal model** 
  - The methodology
  - $\circ$  The model
  - Offline verification
- Second stage: **efficient runtime verification** of the logical behavior
  - Online runtime verification
  - Auto code generation from models
  - Can be used in production
- Third stage: **analysis and measurements** of the timing behavior
  - Interpretation of the model using academic real-time viewpoint
  - Definition of a safe latency bound
  - Development of a tool to measure the components of the latency bound





Thesis

Thesis

# Contributions



All the results are available online here:





# Part I: The thread model



# The PREEMPT\_RT Thread model

Approach







# Modeling



# **Events**

Online Library (wileyonlinelibrary.com). DOI: 10.1002/spc.2333

### Timing analysis of the PREEMPT RT Linux kernel

Daniel Bristot de Oliveira<sup>1,2</sup> and Romulo Silva de Oliveira<sup>1,8</sup>

<sup>1</sup>Department of Automation and Systems, Federal University of Santa Catarina, Forumonda, Breen, <sup>2</sup>Red Hat, Inc., Brazil

#### SUMMARY

In the theory of real-time scheduling, tasks are described by mathematical variables, when an analytical models in order to prove schedulability of the system. On real-time Linux, tasks are programs, and Linux developers try to lower the latencies caused by the Linux kernel, using an programs, and Linux developers try to lower the latencies caused by the Linux kernel, using an end to the highest-priority task. Although both seek temporal correctness measure in the different worlds, making in measure in the second s Based in the Timing analysis paper, but improved.

Based also on a daily base work as a kernel developer at red hat.



### Interrupt related events

NMI, IRQ, IRQ control



| Automaton event      | Kernel event           | Description        |
|----------------------|------------------------|--------------------|
| hw_local_irq_disable | preemptirq:irq_disable | Begin IRQ handler  |
| hw_local_irq_enable  | preemptirq:irq_enable  | Return IRQ handler |
| local_irq_disable    | preemptirq:irq_disable | Mask IRQs          |
| local_irq_enable     | preemptirq:irq_enable  | Unmask IRQs        |
| nmi_entry            | irq_vectors:nmi        | Begin NMI handler  |
| nmi_exit             | irq_vectors:nmi        | Return NMI Handler |



# Scheduling events

#### Preemption and scheduling







## Thread states

#### Runnable or not runnable? That is the question!



| Automaton event           | Kernel event          | Description                |
|---------------------------|-----------------------|----------------------------|
| sched_waking              | sched:sched_waking    | Activation of a thread     |
| sched_set_state_runnable  | sched:sched_set_state | Thread is runnable         |
| sched_set_state_sleepable | sched:sched_set_state | Thread can go to sleepable |



### Context switch

#### Two "meta" tasks: the one under analysis and all other



| Automaton event       | Kernel event       | Description                                                 |
|-----------------------|--------------------|-------------------------------------------------------------|
| sched_switch_in       | sched:sched_switch | Switch in of the thread under analysis                      |
| sched_switch_suspend  | sched:sched_switch | Switch out due to a suspension of the thread under analysis |
| sched_switch_preempt  | sched:sched_switch | Switch out due to a preemption of the thread under analysis |
| sched_switch_blocking | sched:sched_switch | Switch out due to a blocking of the thread under analysis   |
| sched_switch_in_o     | sched:sched_switch | Switch in of another thread                                 |
| sched_switch_out_o    | sched:sched_switch | Switch out of another thread                                |



# Mutex

Mutual exclusion



| Automaton event | Kernel event           | Description                         |
|-----------------|------------------------|-------------------------------------|
| mutex_lock      | lock:rt_mutex_lock     | Requested a RT Mutex                |
| mutex_blocked   | lock:rt_mutex_block    | Blocked in a RT Mutex               |
| mutex_acquired  | lock:rt_mutex_acquired | Acquired a RT Mutex                 |
| mutex_abandon   | lock:rt_mutex_abandon  | Abandoned the request of a RT Mutex |



## Read/write lock and semaphore

Read side



| Automaton event | Kernel event         | Description                            |
|-----------------|----------------------|----------------------------------------|
| read_lock       | lock:rwlock_lock     | Requested a R/W Lock or Sem as reader  |
| read_blocked    | lock:rwlock_block    | Blocked in a R/W Lock or Sem as reader |
| read_acquired   | lock:rwlock_acquired | Acquired a R/W Lock or Sem as reader   |
| read_abandon    | lock:rwlock_abandon  | Abandoned a R/W Lock or Sem as reader  |



## Read/write lock and semaphore

Write side



| Automaton event | Kernel event         | Description                            |
|-----------------|----------------------|----------------------------------------|
| write_lock      | lock:rwlock_lock     | Requested a R/W Lock or Sem as writer  |
| write_blocked   | lock:rwlock_block    | Blocked in a R/W Lock or Sem as writer |
| write_acquired  | lock:rwlock_acquired | Acquired a R/W Lock or Sem as writer   |
| write_abandon   | lock:rwlock_abandon  | Abandoned a R/W Lock or Sem as writer  |



# Generators



They are mostly basic kernel operations, in the way that developers think about them independently. They can be specialized, but better not generalize

them.



## The generators!

#### Independent operations







The PREEMPT\_RT thread model

# **Specifications**



We tried to keep the specifications as simple as possible, trying to model a single behavior per specification.

We also tried to keep a logical interpretation for each specification, like "necessary" and "sufficient" conditions.



## Specifications

#### Relation among operations (continue..)

| Name                                    | States | Events | Transitions |
|-----------------------------------------|--------|--------|-------------|
| S01 Sched in after wakeup               | 2      | 5      | 6           |
| S02 Resched and wakeup sufficiency      | 3      | 10     | 18          |
| S03 Scheduler with preempt disable      | 2      | 4      | 4           |
| S04 Scheduler doesn't enable preemption | 2      | 6      | 6           |
| S05 Scheduler with interrupt enabled    | 2      | 4      | 4           |
| S06 Switch out then in                  | 2      | 20     | 20          |
| S07 Switch with preempt/irq disabled    | 3      | 10     | 14          |
| S08 Switch while scheduling             | 2      | 8      | 8           |
| S09 Schedule always switch              | 3      | 6      | 6           |
| S10 Preempt disable to sched            | 2      | 3      | 4           |
| S11 No wakeup right before switch       | 3      | 5      | 8           |
| S12 IRQ context disable events          | 2      | 27     | 27          |
| S13 NMI blocks all events               | 2      | 34     | 34          |
| S14 Set sleepable while running         | 2      | 6      | 6           |
| S15 Don't set runnable when scheduling  | 2      | 4      | 4           |
| S16 Scheduling context operations       | 2      | 3      | 3           |
|                                         |        |        |             |





# Specifications

#### Relation among operations







# The model!

#### Composition of generators and specifications

- The final model has:
  - **9017** states
  - 20103 transitions
- It would be impossible to model it directly
- Using the modular approach, the final model is composed of:
  - $\circ$  34 events
  - 12 generators
  - 33 specifications
    - The most complex module (a specification) has **eight** states!





# Verification: perf task\_model



The perf task\_model extension was developed to do the automatic verification

Two phases: **record** and **report** 

All in user-space

That was a big problem of the "timing analysis" of the previous paper: there was no way to compare the kernel against our reasoning



### perf task\_model output

#### Automatically runs the automaton, based on the kernel trace

| bristot@                     | 1: Refere | nce mod | el: isorc.dot |          |                                                |    |
|------------------------------|-----------|---------|---------------|----------|------------------------------------------------|----|
|                              | 2: +>     | +=thr   | ead of intere | st=other | threads                                        |    |
| notraceschedule(bool pre     | 3:   +->  | T=Threa | d - I=IRQ - N | =NMI     |                                                |    |
| struct *prev, *next;         | 4:        |         |               |          |                                                |    |
| g *switch_count;             | 5:        | TID     | timestamp     | cpu      | event   state   safe?                          |    |
| ags rf;                      | 6: . T    | 8       | 436.912532    | [000]    | preempt_enable -> q0 safe                      |    |
| 1;                           | 7: . T    | 8       | 436.912534    | [000]    | local_irq_disable -> q8102                     |    |
|                              | 8: . T    | 8       | 436.912535    | [000]    | preempt_disable -> q19421                      |    |
| cessor_id();                 | 9: . T    | 8       | 436.912535    | [000]    | sched_waking -> q99                            |    |
| pu);                         | 10: . T   | 8       | 436.912535    | [000]    | sched_need_resched -> q14076                   |    |
| rr;                          | 11: . T   | 8       | 436.912535    | [000]    | local_irq_enable -> q1965                      |    |
| g(prev, preempt);            | 12: . T   | 8       | 436.912536    | [000]    | preempt_enable -> q12256                       |    |
| g(prev, preempt),            | 13: . T   | 8       | 436.912536    | [000]    | preempt_disable_sched -> q18615,q23376         |    |
| t(HRTICK))                   | 14: . T   | 8       | 436.912536    | [000]    | schedule_entry -> q16926,q17108,q264           | 9  |
| k_clear(rq);                 | 15: . T   | 8       | 436.912537    | [000]    | local_irq_disable -> q11700,q14046,q213        | 91 |
| able();                      | 16: . T   | 8       | 436.912537    | [000]    | sched_switch_out_o -> q10337,q20018,q219       | 33 |
| ext_switch(preempt);         | 17: . T   | 8       | 436.912537    | [000]    | <pre>sched_switch_in -&gt; q10268,q20126</pre> |    |
|                              | 18: + T   | 1840    | 436.912537    | [000]    | local_irq_enable -> q20036                     |    |
| that signal_pending_state()- | 19: + T   | 1840    | 436.912538    | [000]    | schedule_exit -> q21033                        |    |



unsigned long

cpu = smp\_proc

schedule\_debug



local\_irq\_disable(); rcu\_note\_context\_switch(preempt);

/\*
 \* Make sure that signal\_pending\_state()
 \* can't be reordered with \_\_set\_current\_

## Runtime verification of the kernel

#### Even better than we expected

• By modeling the **expected** behavior, we can catch cases in which the **kernel** 

#### does not behave as expected

- We found three problems on kernel
  - One unexpected call to schedule()
    - Schedule called in vain
      - Resulted in a kernel patch
  - Locking correctness
    - A scheduling while in atomic in the single-core case

#### Perf & Ftrace losing events

• A problem in the trace recursion control



### A Thread Synchronization Model for the PREEMPT\_RT Linux Kernel

Lessons learned



#### Pros

- Formal model
- Automatic cross-verification
- Automata is simple enough to avoid modeling problems
  - We often faced state explosion but made it
- The format was well received by Linux kernel community

#### Cons

- The verification uses too much resources
  - GBs of data per sec
- Offline
  - No actions can be taken during a problem
- It shows the bound of the scheduling latency, but it is only logical and too formal!





# Part II: Verifying the logical behavior



## Efficient runtime verification for the Linux Kernel

#### Approach





#### dot2c



- We develop the **dot2c** tool to translate the model into code
  - It is unpractical to thing about coding a model with 20k+ states
- It is a python program that has one input:
  - An automaton model in the .dot format
    - It is an open format (graphviz)
- **Supremica tool** exports models with this format



WiP Example



Code generation:

•••

[bristot@t460s dot2c]\$ ./dot2c wakeup\_in\_preemptive.dot



#### Automaton in C





#### Automaton in C



#### dot2c



- Interprets the kernel events, using the model
- Built as a kernel module
  - Processing the events synchronously with the kernel execution
- Set up instrumentation:
  - Hooks to kernel events, e.g., tracepoints, functions,...
  - Waits for the initial condition
- Verifies if a given kernel event is accepted by the model
  - If an error occurs, actions can be taken in the current state of the system
    - Stacktraces
    - Print variables
    - Save a memory dump...



#### Main function: process event



get\_event\_name(ver, event),
get\_state\_name(ver, curr\_state));

stack(0);

}

return false;



#### Main function: in details



}

void set\_curr\_state(struct verification \*ver, enum states state) {
 ver->curr\_state = state;



**Red Hat** 

#### Main function: in details



void set\_curr\_state(struct verification \*ver, enum states state) {
 ver->curr\_state = state;

}

Only one variable to keep the state!



### Instrumentation

#### Running the verification



- Kernel module is loaded to a running kernel
  - While no problem is found:
    - Either print the execution of all events in the trace buffer
    - Or run silently
- If an unexpected transitions is found:
  - Print the error on trace buffer
  - $\circ$  Take any action



### Error output

#### A real one

bash-1157 [003] ....2.. 191.199172: process\_event: non\_preemptive -> preempt\_enable = preemptive safe! bash-1157 [003] dN..5.. 191.199182: process\_event: event sched\_waking not expected in the state preemptive bash-1157 [003] dN..5.. 191.199186: <stack trace> => process\_event => \_\_handle\_event => ttwu\_do\_wakeup => try\_to\_wake\_up => irg\_exit => smp\_apic\_timer\_interrupt => apic\_timer\_interrupt sched\_waking => rcu\_irq\_exit\_irqson => trace\_preempt\_on => preempt\_count\_sub => \_raw\_spin\_unlock\_irgrestore preempt\_disable => \_\_down\_write\_common preemptive non\_preemptive => anon\_vma\_clone preempt\_enable => anon\_vma\_fork => copy\_process.part.42 => \_do\_fork => do\_syscall\_64 => entry\_SYSCALL\_64\_after\_hwframe



# Kernel bug report

| <b>LKML:</b> Daniel Bristot de C                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | + × ×                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |                                                                |       |       |    |        |   |   |             |     |   |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------|-------|-------|----|--------|---|---|-------------|-----|---|
| ← → C 🔒 lkml.org/lk                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | kml/2019/5/28/680                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | ☆                                                              |       | 0     | C  |        | Ø | ø | <b>\$</b> 2 | * ( | : |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | <pre>[lkml] [2019] [May] [28] [las100] ISS<br/>Views: [wrap] [headers] [forward]<br/>From Daniel Bristot de Oliveira &lt;&gt;<br/>Subject [RFC 0/3] preempt_tracer: Fix preempt_di</pre>                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | isable 1                                                       | trace | epoi  | nt |        |   |   |             |     |   |
| <ul> <li>Daniel Bristot de Oliveira</li> <li>Peter Zijistra</li> <li>Joel Fernandes</li> <li>Steven Rostedt</li> <li>Daniel Bristot de Oliveira</li> <li>Daniel Bristot de Oliveira</li> <li>Peter Zijistra</li> <li>Joel Fernandes</li> <li>Daniel Bristot de Oliveira</li> <li>Peter Zijistra</li> <li>Joel Fernandes</li> <li>Daniel Bristot de Oliveira</li> <li>Peter Zijistra</li> <li>Daniel Bristot de Oliveira</li> <li>Deniel Bristot de Oliveira</li> <li>Deniel Bristot de Oliveira</li> <li>Peter Zijistra</li> <li>Daniel Bristot de Oliveira</li> <li>Deniel Bristot de Oliveira</li> <li>Deniel Bristot de Oliveira</li> </ul> | <pre>Subject [RFC 0/3] preempt_tracer: Fix preempt_di<br/>Date Tue, 28 May 2019 17:16:21 +0200<br/>While playing with the model + working in a fix for the task<br/>context &amp; trace recursion, I ended up hitting two cases in wh<br/>preempt_disable/enable tracepoint was supposed to happen, but<br/>There is an explanation for each case in the log message.<br/>This is an RFC exposing the problem, with possible ways to fis<br/>But I bet there might be better solutions as well, so this is<br/>RFC.<br/>Daniel Bristot de Oliveira (3):<br/>softirg: Use preempt latency_stop/start to trace preemption<br/>preempt_tracer: Disable IRQ while starting/stopping due to<br/>preempt_counter change<br/>preempt_counter change<br/>preempt_counter change<br/>files changed, 55 insertions(+), 24 deletions(-)<br/><br/>2.20.1<br/>Last update: 2019-05-28 17:17 [W:0.143/U:2.832 seconds]<br/>@2003-2020 Jasper Spaanshosted at Digital Ocean and Trans/P/Read the blog/Advertise on<br/>Data the support of the start of the blog/Advertise on<br/>Digital Ocean and Trans/P/Read the blog/Advertise on<br/>Data the support of the start of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the blog/Advertise on<br/>Data the support of the support of the support of the blog/Advertise on<br/>Data the support of the support of the support of the blog the blog the blog the support of the suppo</pre> | hich the<br>t didn't.<br>ix it.<br>s a real<br>n<br>a<br>calls |       | epoi. | nt | ( ) II |   |   |             |     |   |

A problem with tracing subsystem was reported using this model's module.

Some preempt\_disable/enable events missing.

Problem was reported and discussed.



#### **Online Runtime Verification**





# Performance evaluation



#### **Online Runtime Verification**

## Performance evaluation

#### Setup



- Two benchmarks
  - Throughput using the Phoronix Test Suite
    - Low kernel activity
    - High kernel activity
  - Scheduling latency
    - Cyclictest
- Base of comparison
  - **as-is**: the system without any verification or trace
  - *model*: a sample model
  - **trace**: tracing (ftrace) the same events used in the verification
    - **Only trace**! No collection or interpretation



### Performance evaluation

#### High kernel activation (SWA monitor)









### Performance evaluation

#### Low kernel activation (SWA monitor)









## Performance evaluation

Scheduling latency experiment (NRS monitor)





# Remarks



- Trace is enable in production systems
  - So this method can be used on production as well
- This is useful mainly for debugging problems:
  - Model the expected behavior
  - Wait for an unexpected event to happen
- We already have content for a journal extension
- There is the interest of other working groups on it
  - Mainly for safety-critical systems and Cl
  - We are trying to model other subsystem
  - I am also working with other formalism

The experiments and proof of concept code are available here:







# Part III:

# Timing behavior analysis



### Real-Time Linux vs Real-Time theory

#### Linux approach

| Alicy: fife: loadavg: 14.90<br>0 (2735898) P:95 I:1000 C<br>1 (2735899) P:95 I:1500 C<br>2 (2735900) P:95 I:2000 C | : 66520 Min: | 4 Act:<br>4 Act: | 5 Avg: 5 Ma |  |
|--------------------------------------------------------------------------------------------------------------------|--------------|------------------|-------------|--|
| 1 (2735899) P:95 I:1500 C                                                                                          |              |                  | 5 Avg: 5 Ma |  |
|                                                                                                                    | : 44341 Min: | 4 Act.           |             |  |
|                                                                                                                    |              |                  |             |  |
|                                                                                                                    |              | 4 Act:           | 6 Avg: 5 Ma |  |
| 3 (2735901) P:95 I:2500 C                                                                                          |              | 4 Act:           |             |  |
| 4 (2735902) P:95 I:3000 C                                                                                          |              | 4 Act:           | 5 Avg: 5 Ma |  |
| 5 (2735903) P:95 I:3500 C                                                                                          | : 18993 Min: | 4 Act:           |             |  |
| 6 (2735904) P:95 I:4000 C                                                                                          | : 16609 Min: | 4 Act:           |             |  |
| 7 (2735905) P:95 I:4500 C                                                                                          | : 14769 Min: | 4 Act:           |             |  |
| 8 (2735906) P:95 I:5000 C                                                                                          | : 13290 Min: | 4 Act:           |             |  |
| 3 8 (2735900) P:95 I:5500 C                                                                                        | : 12080 Min: | 4 Act:           |             |  |
| 3 0 (2735907) F:35 1:5600 C                                                                                        |              | 8 Act:           |             |  |
| 10 (2735908) P:95 I:6000 C                                                                                         |              | 4 Act:           |             |  |
| 11 (2735909) P:95 I:6500 C                                                                                         |              | 5 Act:           |             |  |
| (11 (2735910) P:95 I:7000 C                                                                                        |              | 5 Act:           |             |  |
|                                                                                                                    |              |                  |             |  |
| (13 (2735911) P:95 I:7500 C<br>(114 (2735912) P:95 I:8000 C                                                        | : 780I Min:  | 4 Act:           |             |  |



- PREEMPT\_RT: De facto standard
- Evaluated (mainly) with cyclictest
- Cyclictest:
  - Practical: lightweight and out-of-the-box
  - It is a "black-box" test
  - No demonstration
  - Does not provide evidence of "root-cause"



## Demystifying the Real-Time Linux Scheduling Latency

Approach





## From formal specification to synchronization rules

Formally backed natural language arguments



- Generators
  - Translated into a **set of operations**

- Specifications
  - Translated into a **set of** synchronization **rules**



# Scheduling latency definition

The **scheduling latency** experienced by an arbitrary thread **T** is

- the **longest time** elapsed **between** the *time* A in which any job of T becomes **ready and with the highest priority**
- and the *time F* in which the scheduler returns and allows T to **execute its code**

From the first necessary condition to set need resched, to the the last action after the scheduling, which is enabling preemption after the return from \_\_schedule().

# Interference and blocking

void \_\_sched notrace \_\_schedule(b

struct task\_struct \*prev, \*next; unsigned long \*switch\_count; struct rq\_flags rf; struct rq \*rq; int cpu;

cpu = smp\_processor\_id(); rq = cpu\_rq(cpu); prev = rq->curr;

schedule\_debug(prev, preempt);

local\_irq\_disable(); rcu\_note\_context\_switch(preempt)

#### The scheduling latency is caused by

- **Blocking** from the current (and so lower) priority thread
  - Including scheduling
- Interference from IRQs and NMI

The scheduling latency in this paper refers to the delay between the notification of a new highest priority thread, to point in which this thread starts running its own code. The highest priority thread can belong to any scheduler: the analysis is

scheduler independent.



## Blocking bound

#### From the specification that bounds the block to a timeline





### Timeline and cases

All possible cases







## **Blocking variables**

- **DPOID**: preemption or interrupts disabled to postpone the scheduler
- DPAIE: preemption and interrupts enabled, as a transient state from poid to psd; when scheduling a new highest priority thread
- **Dpsp**: preemption disable to schedule
- **Dsr**: delay caused by the scheduling tail; the "non return" point in which a new arrived task will have to wait for the current scheduling operation to finish before scheduling

In the model, the preemption control is specialized into two different operations: to *postpone the scheduler* (the most known behavior) or to *protect the execution of the \_\_schedule()* function from recursion.



### Timeline and cases

#### Variables in the the timeline





### Timeline and cases

#### IRQ and NMI interference





76

### And the scheduling latency bounds to:

By leveraging the individual bounds on  $L^{10}$  is overall bound that is valid for all the Lemma 7.

 $L^{TP} \leq max(D_{ST}, D_{POID}) + D_{PAIE} + D_{PSD}$ 

The lemma follows by noting that cases (in clusive and cover all the possible sequences of meed\_reached, to the time instant in which Definition 1), and the right-hand side of Equations 2, 3, 4, and 5.

**Theorem 8 summarizes the results derived is u Theorem 8.** The scheduling latency experiment is a positive value that fulfills the following of  $L = max(D_{ST}, D_{POID}) + D_{PAIE} + D_{PSD} + I^{**}$ and The theorem follows directly from Lemma is a scale to the IRQ handler, the present

$$L = max(Dst, Dpoid) + Dpaie + Dpsd + I^{NMI}(L) + I^{IRQ}(L)$$

The bound considers all possible cases. Note that the Latency *L* is present in both sides of the equation. So, L is bounded by the least positive value fulfilling the equation (like on RTA).





## Interrupts are workload dependent

- Instead of proposing "the best" interrupt characterization, the rtsl reports the scheduling latency based on some well-known characterizations:
  - No interrupt
  - Worst single interrupt
  - Single occurence of all interrupts
  - Sporadic
  - Sliding window (Author's preferred)
  - Sliding window with oWCET

This topic was heavily discussed at the Real-time Micro Conference (inside Linux Plumbers) in 2019, more info here:





#### A practical scheduling latency estimation tool

#### Method and challenges

| <pre># /dev/cpu_dma</pre>                                                                                                  | -01 ~]# cyclicte<br>_latency set to<br>loadavg: 14.90 6                                      |                                                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | 1                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                      |
|----------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------|
| T: 1 (2735899)<br>T: 2 (2735900)<br>T: 3 (2735901)<br>T: 4 (2735902)<br>T: 5 (2735903)<br>T: 6 (2735904)<br>T: 7 (2735905) | P:95 I:6000 C:<br>P:95 I:6500 C:<br>P:95 I:7000 C:<br>P:95 I:7500 C:<br>P:95 I:7500 C:<br>C: | 66520 Min:<br>44341 Min:<br>33251 Min:<br>26598 Min:<br>22162 Min:<br>18993 Min:<br>16617 Min:<br>14769 Min:<br>13200 Min:<br>12080 Min:<br>10072 Min:<br>10219 Min:<br>9488 Min:<br>8854 Min:<br>8200 Min:<br>7801 Min: | 4 Act:<br>4 Act:<br>5 Act:<br>5 Act:<br>5 Act:<br>4 Act:<br>4 Act:<br>5 Act:<br>5 Act:<br>4 Act:<br>5 Act:<br>5 Act:<br>4 Act:<br>5 Act:<br>7 Act: | 5 Avg: 5 Max:<br>6 Avg: 5 Max:<br>5 Avg: 5 Max:<br>5 Avg: 5 Max:<br>5 Avg: 5 Max:<br>6 Avg: 5 Max:<br>6 Avg: 5 Max:<br>6 Avg: 5 Max:<br>6 Avg: 5 Max:<br>12 Avg: 13 Max:<br>6 Avg: 5 Max: |                      |
| T:15 (2735913<br>T:16 (2735914<br>T:17 (2735915                                                                            | ) P:95 I:8500 C:<br>) P:95 I:9000 C:                                                         | 7370 Min:<br>6983 Min:                                                                                                                                                                                                   | 5 Act:<br>4 Act:<br>5 Act:<br>5 Act:                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | 9 AVE: 5 Max3<br>6 AVE: 5 Max3<br>6 AVE: 5 Max3<br>9 AVE: 6 Max3<br>9 AVE: 6 Max3                                                                                                                                                                                                                                                                                                                                                                                         | 17<br>13<br>25<br>16 |

- Based on the latency bound
- The latency bound is based on the model
- The *model* is based on tracing of events
  - but high frequency events
    - hundreds MB/sec/CPU
- Challenges:
  - To minimize the (runtime) overhead
  - Work out-of-the-box



# rt\_sched\_latency (rtsl)



#### Based on **perf**

-

Works in two phases:

- The **record** mode saves the trace data;
- The **report** mode process the trace and does the analysis.



## record phase

#### Low overhead trace recording



- Filters the high frequency trace
  - Doing in-kernel processing
- For blocking variables
  - Reports only the discover of new max values
- For IRQ and NMI
  - Reports one event for each occurrence
- Discounts the interference
  - e.g., IRQ interference on a **poid**



## report phase

#### Low overhead trace recording



• After the capture, analyzes the trace.

• All in user-space.

• Most of the analysis is done in python

• Easy to extend

• Two outputs

• Textual: good for debug

• Chart: good comparisons (and papers :-))

• Does a per-cpu scheduling latency analysis

• Using different IRQ/NMI characterization



### rtsl report output

#### Textual output

| Interference Free Latency:             |                                    |  |  |  |  |
|----------------------------------------|------------------------------------|--|--|--|--|
| paie is lower than 1 us -> neglectable |                                    |  |  |  |  |
| latency = max(poid, dst) + paie + psd  |                                    |  |  |  |  |
| 42212                                  | $= \max(22510, 19312) + 0 + 19702$ |  |  |  |  |
| Cyclictest:                            |                                    |  |  |  |  |
| Latency                                | = 27000 with Cyclictest            |  |  |  |  |
| No Interrupt                           | s:                                 |  |  |  |  |
| Latency                                | = 42212 with No Interrupts         |  |  |  |  |
| Sporadic:                              |                                    |  |  |  |  |
| INT:                                   | oWCET OMIAT                        |  |  |  |  |
| NMI:                                   | 0 0                                |  |  |  |  |
| 33:                                    | 16914 257130                       |  |  |  |  |
| 35:                                    | 12913 1843 <- owcet > omiat        |  |  |  |  |
| 236:                                   | 20728 1558 <- oWCET > oMIAT        |  |  |  |  |
| 246:                                   | 3299 1910321                       |  |  |  |  |
| Did not                                | converge.                          |  |  |  |  |

continuing.... Sliding window: Window: 42212 NMI: 0 33: 16914 14588 35: 236: 20728 246: 3299 Window: 97741 236: 21029 <- new! Window: 98042 Converged! Latency = 98042 with Sliding Window



## rtsl report output

#### Chart output







## **Experiments**

- Scheduling latency measurements on two systems:
  - workstation: eighth CPUs
  - server: twelve CPUs server
- Experiments:
  - Single-core
    - Different duration
    - Different workload
  - Multi-core
- Running in parallel with cyclictest
- Note: The goal of the experiments is to
  - demonstrate the tool, not to define worst values.

The experiments passed by the artifact evaluation!





#### Single-core experiments





#### Multicore experiments





# Remarks



- The PREEMPT\_RT preemption model is deterministic, and the scheduling latency is bounded
- The approach presented in this thesis opens the door for a new set of real-time analysis for Linux
  - The analytical interpretation of Linux thread model developed in this paper untight the Linux complexity, enabling the reasoning at a more sophisticated level
- Even though this rtsl finds higher scheduling latency values, they are still low enough to justify Linux as RTOS on the current scenarios
- rtsl is practical, and resolves many problems of cyclictest.
  - E.g., it can be used to point to the root causes of the latency
  - But still can, and should, be improved
    - Both with code, and other analysis.

For more information about the paper, like source code, other comments, Q&A, check its companion page!





Automata-based Formal Analysis and Verification of the Real-Time Linux Kernel



# Results



89

#### Papers

- D. B. de Oliveira, R. S. de Oliveira, T. Cucinotta, L. Abeni. Automata-Based Modeling of Interrupts in the Linux PREEMPT RT Kernel, in Proceedings of the 22nd IEEE International Conference on Emerging Technologies And Factory Automation (ETFA 2017), September 12-15, 2017, Limassol, Cyprus.
- D. B. de Oliveira, T. Cucinotta, R. S. de Oliveira. Modeling the Behavior of Threads in the PREEMPT\_RT Linux Kernel Using Automata, in Proceedings of the International Workshop on Embedded Operating Systems (EWILI 2018), October 10th, 2018, Torino, Italy.
- D. B. de Oliveira, R. S. de Oliveira, T. Cucinotta. Untangling the Intricacies of Thread Synchronization in the PREEMPT RT Linux Kernel, in Proceedings of the 22nd IEEE International Symposium on Real-Time Distributed Computing (IEEE ISORC 2019), May 7-9, 2019, Valencia, Spain

#### Main topic

- One workshop
- Four conferences
- One journal

All available here:





#### Papers

- **D. B. De Oliveira**, T. Cucinotta, R. S. De Oliveira. **Efficient formal verification for the Linux kernel**, 17th International Conference on Software Engineering and Formal Methods (SEFM 2019), September 16–20th, 2019, Oslo, Norway.
- **D. B. De Oliveira**, R. S. De Oliveira, T. Cucinotta. **A thread synchronization model for the PREEMPT\_RT Linux kernel**, Elsevier Journal of Systems Architecture (JSA), Vol. 107, August 2020.
- **D. B. De Oliveira**, D. Casini, R. S. De Oliveira. T. Cucinotta. **Demystifying the Real-Time Linux Scheduling Latency**, in the Proceedings of the 32th Euromicro Conference on Real-time Systems (ECRTS), July 7-10th, 2020, Modena, Italy.

#### Main topic

Journal = Consolidated results

SEFM = Lost the fear of FM community

ECRTS = A top RT conference explaining the math behind the PREEMPT RT (**my goal**)



Automata-based Formal Analysis and Verification of the Real-Time Linux Kernel

### Other papers

- D. B. De Oliveira, R. S. De Oliveira (2016). Timing analysis of the PREEMPT RT Linux kernel, Softw. Pract. Exper., 46: 789–819. doi: 10.1002/spe.2333.
- K. P. Silva, L. F. Arcaro, D. B. de Oliveira, R. S. de Oliveira. An Empirical Study on the Adequacy of MBPTA for Tasks Executed on a Complex Computer Architecture with Linux, in Proceedings of the 23rd IEEE International Conference on Emerging Technologies And Factory Automation (ETFA 2018), September 4th - 7th, 2018, Torino, Italy.
- D. B. de Oliveira, D. Casini, R. S. de Oliveira, T. Cucinotta, A. Biondi and G. Buttazzo. Nested Locks in the Lock Implementation: The Real-Time Read-Write Semaphores on Linux, in Proceedings of the International Real-Time Scheduling Open Problems Seminar (RTSOPS 2018), co-located with the 30th Euromicro Conference on Real-Time Systems (ECRTS 2018). July 3, 2018, Barcelona, Spain.
- D. B. De Oliveira, D. Casini, R. S. De Oliveira. T. Cucinotta. Demystifying the Real-Time Linux Scheduling Latency (Artifact), in the Proceedings of the 32th Euromicro Conference on Real-time Systems (ECRTS), July 7-10th, 2020, Modena, Italy.

#### **Other papers**

One conference as third author

One workshop

One journal in the *informal* part of the Ph.D.

One artifact evaluation



# Linux related conferences

#### • 18 talks at Linux/Open Source related conferences

- CZ 4, CA 4, FR 3, PT 2, UK 1, US 1, BR 1, IT 1, Online 1.
- Mostly about the topics of the thesis
- But also about other RT and trace topics
- I organized:
  - Real-time micro conference at Linux Plumbers 2019
  - Real-time Linux Summit 2019
  - Real-time micro conference at Linux Plumbers 2020...
  - Real-time Linux Summit 2020...
- Helped on:
  - Scheduling micro conference at Linux Plumbers 2019
  - Scheduling micro conference at Linux Plumbers 2020

# Slides of my talks are all here:





## Other academic activities

#### • Classes:

- Real-time Linux at Real-time course (UFSC)
- Formal verification at Component-based software design course (SSSUP)
- Managed the cotutela agreement
  - Lots of work to merge IT/BR Ph.D. rules
- Collaborations with other research groups
  - Boston University Unikernel
  - ETH Zurich FM
- Reviewed papers for SBESC
- PC of EWiLi and (postponed to 2021) RT Cloud Workshop inside ECRTS
- Participated in a European project submission
  - Ericsson/Red Hat/Uni Torino/Lund University/Sant'Anna
  - Not as a student but as Red Hat (industrial partner)

Slides of my talks are all here:





# **Final words**



- The idea of using formal methods to explain Linux was risky:
  - I touched state-explosion many times
  - Kernel generates GB of events per second
- The simplicity of automata was the key factor
  - It was simple on purpose
- The RV results were WAY better than expected
- The Latency paper was the goal and, with that in a top conference, I could finally sleep in peace with myself
- This is just the beginning, because there is a lot of work to be done
- Thanks Tommaso, Romulo, Casini, Luca and Clark

For more information about the thesis, like source code, other comments, Q&A, check its companion page!







96



# Questions?



That is all for today, thanks for watching, and have a nice day!









