Stack-based scheduling for realtime processes
Real-Time Systems
Efficiently computing static single assignment form and the control dependence graph
ACM Transactions on Programming Languages and Systems (TOPLAS)
Using continuations to implement thread management and communication in operating systems
SOSP '91 Proceedings of the thirteenth ACM symposium on Operating systems principles
Improving IPC by kernel design
SOSP '93 Proceedings of the fourteenth ACM symposium on Operating systems principles
SOSP '95 Proceedings of the fifteenth ACM symposium on Operating systems principles
Interface and execution models in the Fluke kernel
OSDI '99 Proceedings of the third symposium on Operating systems design and implementation
Programming semantics for multiprogrammed computations
Communications of the ACM
Efficient microarchitecture modeling and path analysis for real-time software
RTSS '95 Proceedings of the 16th IEEE Real-Time Systems Symposium
Cost and Benefit of Separate Address Spaces in Real-Time Operating Systems
RTSS '02 Proceedings of the 23rd IEEE Real-Time Systems Symposium
Low-Complexity Algorithms for Static Cache Locking in Multitasking Hard Real-Time Systems
RTSS '02 Proceedings of the 23rd IEEE Real-Time Systems Symposium
Putting it all together – Formal verification of the VAMP
International Journal on Software Tools for Technology Transfer (STTT) - A View from Formal Methods 2003 (pp 301-354); Special Section on Recent Advances in Hardware Verification (pp 355-447)
Chronos: A timing analyzer for embedded software
Science of Computer Programming
Certifying low-level programs with hardware interrupts and preemptive threads
Proceedings of the 2008 ACM SIGPLAN conference on Programming language design and implementation
Proving Fairness and Implementation Correctness of a Microkernel Scheduler
Journal of Automated Reasoning
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
Implementation Correctness of a Real-Time Operating System
SEFM '09 Proceedings of the 2009 Seventh IEEE International Conference on Software Engineering and Formal Methods
The OKL4 microvisor: convergence point of microkernels and hypervisors
Proceedings of the first ACM asia-pacific workshop on Workshop on systems
Modular verification of preemptive OS kernels
Proceedings of the 16th ACM SIGPLAN international conference on Functional programming
Protected hard real-time: the next frontier
Proceedings of the Second Asia-Pacific Workshop on Systems
Timing Analysis of a Protected Operating System Kernel
RTSS '11 Proceedings of the 2011 IEEE 32nd Real-Time Systems Symposium
A trustworthy monadic formalization of the ARMv7 instruction set architecture
ITP'10 Proceedings of the First international conference on Interactive Theorem Proving
To preempt or not to preempt, that is the question
Proceedings of the Asia-Pacific Workshop on Systems
To preempt or not to preempt, that is the question
APSys'12 Proceedings of the Third ACM SIGOPS Asia-Pacific conference on Systems
Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles
ACM SIGOPS 24th Symposium on Operating Systems Principles
From L3 to seL4 what have we learnt in 20 years of L4 microkernels?
Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
Many real-time operating systems (RTOSes) offer very small interrupt latencies, in the order of tens or hundreds of cycles. They achieve this by making the RTOS kernel fully preemptible, permitting interrupts at almost any point in execution except for some small critical sections. One drawback of this approach is that it is difficult to reason about or formally model the kernel's behavior for verification, especially when written in a low-level language such as C. An alternate model for an RTOS kernel is to permit interrupts at specific preemption points only. This controls the possible interleavings and enables the use of techniques such as formal verification or model checking. Although this model cannot (yet) obtain the small interrupt latencies achievable with a fully-preemptible kernel, it can still achieve worst-case latencies in the range of 10,000s to 100,000s of cycles. As modern embedded CPUs enter the 1 GHz range, such latencies become acceptable for more applications, particularly when they come with the additional benefit of simplicity and formal models. This is particularly attractive for protected multitasking microkernels, where the (inherently non-preemptible) kernel entry and exit costs dominate the latencies of many system calls. This paper explores how to reduce the worst-case interrupt latency in a (mostly) non-preemptible protected kernel, and still maintain the ability to apply formal methods for analysis. We use the formally-verified seL4 microkernel as a case study and demonstrate that it is possible to achieve reasonable response-time guarantees. By combining short predictable interrupt latencies with formal verification, a design such as seL4's creates a compelling platform for building mixed-criticality real-time systems.